KL-001-2020-008 : Barco wePresent Global Hardcoded Root SSH Password

Title: Barco wePresent Global Hardcoded Root SSH Password
Advisory ID: KL-001-2020-008
Publication Date: 2020.11.20
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2020-008.txt


1. Vulnerability Details

     Affected Vendor: Barco
     Affected Product: wePresent WiPG-1600W
     Affected Version: 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19
     Platform: Embedded Linux
     CWE Classification: CWE-798: Use of Hard-coded Credentials
     CVE ID: CVE-2020-28334


2. Vulnerability Description

     The Barco wePresent device has a hardcoded root password hash
     included in the firmware image. To our knowledge the password
     hash has not been cracked and published; it is possible this
     could occur at any time. This combined with KL-001-2020-004
     (CVE-2020-28329), KL-001-2020-005 (CVE-2020-28330), and
     KL-001-2020-007 (CVE-2020-28331) could be used in a simple
     and automated exploit chain to go from unauthenticated remote
     attacker to root shell.


3. Technical Description

     In looking at the unpacked firmware, a root hash was quickly
     identified in the /etc/shadow file on the device. It is the
     only account in the /etc/shadow. The device does not prompt
     the administrator to set a new root password, therefore this
     password is hardcoded and exists across all devices.


4. Mitigation and Remediation Recommendation

     The vendor has released an updated firmware (2.5.3.12) which
     remediates the described vulnerability. Firmware and release
     notes are available at:

     https://www.barco.com/en/support/software/R33050104


5. Credit

     This vulnerability was discovered by Jim Becher (@jimbecher) of
     KoreLogic, Inc.


6. Disclosure Timeline

     2020.08.24 - KoreLogic submits vulnerability details to
                  Barco.
     2020.08.25 - Barco acknowledges receipt and the intention
                  to investigate.
     2020.09.21 - Barco notifies KoreLogic that this issue,
                  along with several others reported by KoreLogic,
                  will require more than the standard 45 business
                  day remediation timeline. Barco requests to delay
                  coordinated disclosure until 2020.12.11.
     2020.09.23 - KoreLogic agrees to 2020.12.11 coordinated disclosure.
     2020.09.25 - Barco informs KoreLogic of their intent to acquire
                  CVE number for this vulnerability.
     2020.11.09 - Barco shares CVE number with KoreLogic and announces
                  their intention to release the updated firmware
                  ahead of schedule, on 2020.11.11. Request that KoreLogic
                  delay public disclosure until 2020.11.20.
     2020.11.11 - Barco firmware release.
     2020.11.20 - KoreLogic public disclosure.


7. Proof of Concept

     After unpacking the firmware:
     $ ls -al etc/shadow
     -rwxr-xr-x 1 user user 59 May 25 00:11 etc/shadow
     
     $ cat etc/shadow
     root:$1$reqE8o6b$[REDACTED]:12940:0:99999:7:::


The contents of this advisory are copyright(c) 2020
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt