0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Barco wePresent WiPG-1600W Authentication Bypass Vulnerability
Author
Risk
[
Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
Title: Barco wePresent Authentication Bypass Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2020-006.txt 1. Vulnerability Details Affected Vendor: Barco Affected Product: wePresent WiPG-1600W Affected Version: 2.5.1.8 Platform: Embedded Linux CWE Classification: CWE-288: Authentication Bypass Using an Alternate Path or Channel CVE ID: CVE-2020-28333 2. Vulnerability Description The Barco wePresent web interface does not use session cookies for tracking authenticated sessions. Instead, the web interface uses a "SEID" token that is appended to the end of URLs in GET requests. Thus the "SEID" would be exposed in web proxy logs and browser history. An attacker that is able to capture the "SEID" and originate requests from the same IP address (via a NAT device or web proxy) would be able to access the user interface of the device without having to know the credentials. 3. Technical Description In order to make configuration changes to the Barco wePresent WiPG-1600W, a "random" value sent to the web interface client from the device is required to be provided -- the "SEID". It seems to be acting like a Session ID in a cookie. However, the "SEID" is passed as a parameter in URLs and in the body of POSTs. Since it is passed as a parameter in the URL, it can be logged by web proxies or browser history. An example is: https://192.168.2.200/cgi-bin/web_index.cgi?lang=en&src=AwSystem.html&ertqVvnKV4TjU9Vt Where "ertqVvnKV4TjU9Vt" is the SEID. No session cookie exists, just this value passed on the URL as a parameter, and in the body of POSTs to make configuration changes. This SEID is all that is required to access pages behind authentication or to make configuration changes via POSTs. There is no Authorization header passed in the HTTP requests. 4. Mitigation and Remediation Recommendation The vendor has released an updated firmware (2.5.3.12) which remediates the described vulnerability. Firmware and release notes are available at: https://www.barco.com/en/support/software/R33050104 5. Credit This vulnerability was discovered by Jim Becher (@jimbecher) of KoreLogic, Inc. 6. Disclosure Timeline 2020.08.24 - KoreLogic submits vulnerability details to Barco. 2020.08.25 - Barco acknowledges receipt and the intention to investigate. 2020.09.21 - Barco notifies KoreLogic that this issue, along with several others reported by KoreLogic, will require more than the standard 45 business day remediation timeline. Barco requests to delay coordinated disclosure until 2020.12.11. 2020.09.23 - KoreLogic agrees to 2020.12.11 coordinated disclosure. 2020.09.25 - Barco informs KoreLogic of their intent to acquire CVE number for this vulnerability. 2020.11.09 - Barco shares CVE number with KoreLogic and announces their intention to release the updated firmware ahead of schedule, on 2020.11.11. Request that KoreLogic delay public disclosure until 2020.11.20. 2020.11.11 - Barco firmware release. 2020.11.20 - KoreLogic public disclosure. 7. Proof of Concept See section (3) Technical Description. # 0day.today [2024-10-05] #