exploit the possibilities

Barco wePresent Global Hardcoded Root SSH Password

Barco wePresent Global Hardcoded Root SSH Password
Posted Nov 20, 2020
Authored by Jim Becher | Site korelogic.com

Barco wePresent WiPG-1600W versions 2.5.1.8, 2.5.0.25, 2.5.0.24, and 2.4.1.19 have a hardcoded root password hash included in the firmware image.

tags | exploit, root
advisories | CVE-2020-28334
MD5 | f546a4da12e5bb23b7138a0af23f3ff1

Barco wePresent Global Hardcoded Root SSH Password

Change Mirror Download
KL-001-2020-008 : Barco wePresent Global Hardcoded Root SSH Password

Title: Barco wePresent Global Hardcoded Root SSH Password
Advisory ID: KL-001-2020-008
Publication Date: 2020.11.20
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2020-008.txt


1. Vulnerability Details

Affected Vendor: Barco
Affected Product: wePresent WiPG-1600W
Affected Version: 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19
Platform: Embedded Linux
CWE Classification: CWE-798: Use of Hard-coded Credentials
CVE ID: CVE-2020-28334


2. Vulnerability Description

The Barco wePresent device has a hardcoded root password hash
included in the firmware image. To our knowledge the password
hash has not been cracked and published; it is possible this
could occur at any time. This combined with KL-001-2020-004
(CVE-2020-28329), KL-001-2020-005 (CVE-2020-28330), and
KL-001-2020-007 (CVE-2020-28331) could be used in a simple
and automated exploit chain to go from unauthenticated remote
attacker to root shell.


3. Technical Description

In looking at the unpacked firmware, a root hash was quickly
identified in the /etc/shadow file on the device. It is the
only account in the /etc/shadow. The device does not prompt
the administrator to set a new root password, therefore this
password is hardcoded and exists across all devices.


4. Mitigation and Remediation Recommendation

The vendor has released an updated firmware (2.5.3.12) which
remediates the described vulnerability. Firmware and release
notes are available at:

https://www.barco.com/en/support/software/R33050104


5. Credit

This vulnerability was discovered by Jim Becher (@jimbecher) of
KoreLogic, Inc.


6. Disclosure Timeline

2020.08.24 - KoreLogic submits vulnerability details to
Barco.
2020.08.25 - Barco acknowledges receipt and the intention
to investigate.
2020.09.21 - Barco notifies KoreLogic that this issue,
along with several others reported by KoreLogic,
will require more than the standard 45 business
day remediation timeline. Barco requests to delay
coordinated disclosure until 2020.12.11.
2020.09.23 - KoreLogic agrees to 2020.12.11 coordinated disclosure.
2020.09.25 - Barco informs KoreLogic of their intent to acquire
CVE number for this vulnerability.
2020.11.09 - Barco shares CVE number with KoreLogic and announces
their intention to release the updated firmware
ahead of schedule, on 2020.11.11. Request that KoreLogic
delay public disclosure until 2020.11.20.
2020.11.11 - Barco firmware release.
2020.11.20 - KoreLogic public disclosure.


7. Proof of Concept

After unpacking the firmware:
$ ls -al etc/shadow
-rwxr-xr-x 1 user user 59 May 25 00:11 etc/shadow

$ cat etc/shadow
root:$1$reqE8o6b$[REDACTED]:12940:0:99999:7:::


The contents of this advisory are copyright(c) 2020
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt
Login or Register to add favorites

File Archive:

December 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    22 Files
  • 2
    Dec 2nd
    33 Files
  • 3
    Dec 3rd
    16 Files
  • 4
    Dec 4th
    22 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close