Barco wePresent web 安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 2241980 漏洞类型 其他
发布时间 2020-11-21 更新时间 2020-11-23
CVE编号 CVE-2020-28333 CNNVD-ID CNNVD-202011-1776
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2020110157
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202011-1776
|漏洞详情
巴可 Barco wePresent WiPG-1600W是比利时巴可公司的一款应用于会议环境的管理设备。 Barco wePresent web 存在安全漏洞,该漏洞源于不使用会话cookie来跟踪经过身份验证的会话。相反web接口使用一个“SEID”令牌,它附加在GET请求中的url末尾。这样,“SEID”就会暴露在web代理日志和浏览器历史中。能够捕获“SEID”并从相同的IP地址(通过NAT设备或web代理)发起请求的攻击者将能够访问该设备的用户界面,而不需要知道证书。
|漏洞EXP
KL-001-2020-006 : Barco wePresent Authentication Bypass

Title: Barco wePresent Authentication Bypass
Advisory ID: KL-001-2020-006
Publication Date: 2020.11.20
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2020-006.txt


1. Vulnerability Details

     Affected Vendor: Barco
     Affected Product: wePresent WiPG-1600W
     Affected Version: 2.5.1.8
     Platform: Embedded Linux
     CWE Classification: CWE-288: Authentication Bypass Using an Alternate Path or Channel
     CVE ID: CVE-2020-28333


2. Vulnerability Description

     The Barco wePresent web interface does not use session cookies
     for tracking authenticated sessions. Instead, the web interface
     uses a "SEID" token that is appended to the end of URLs in GET
     requests. Thus the "SEID" would be exposed in web proxy logs
     and browser history. An attacker that is able to capture the
     "SEID" and originate requests from the same IP address (via
     a NAT device or web proxy) would be able to access the user
     interface of the device without having to know the credentials.


3. Technical Description

     In order to make configuration changes to the Barco wePresent
     WiPG-1600W, a "random" value sent to the web interface client
     from the device is required to be provided -- the "SEID". It
     seems to be acting like a Session ID in a cookie. However,
     the "SEID" is passed as a parameter in URLs and in the body
     of POSTs. Since it is passed as a parameter in the URL, it
     can be logged by web proxies or browser history. An example is:

     https://192.168.2.200/cgi-bin/web_index.cgi?lang=en&src=AwSystem.html&ertqVvnKV4TjU9Vt

     Where "ertqVvnKV4TjU9Vt" is the SEID. No session cookie exists,
     just this value passed on the URL as a parameter, and in the
     body of POSTs to make configuration changes. This SEID is all
     that is required to access pages behind authentication or to
     make configuration changes via POSTs. There is no Authorization
     header passed in the HTTP requests.


4. Mitigation and Remediation Recommendation

     The vendor has released an updated firmware (2.5.3.12) which
     remediates the described vulnerability. Firmware and release
     notes are available at:

     https://www.barco.com/en/support/software/R33050104


5. Credit

     This vulnerability was discovered by Jim Becher (@jimbecher) of
     KoreLogic, Inc.


6. Disclosure Timeline

     2020.08.24 - KoreLogic submits vulnerability details to
                  Barco.
     2020.08.25 - Barco acknowledges receipt and the intention
                  to investigate.
     2020.09.21 - Barco notifies KoreLogic that this issue,
                  along with several others reported by KoreLogic,
                  will require more than the standard 45 business
                  day remediation timeline. Barco requests to delay
                  coordinated disclosure until 2020.12.11.
     2020.09.23 - KoreLogic agrees to 2020.12.11 coordinated disclosure.
     2020.09.25 - Barco informs KoreLogic of their intent to acquire
                  CVE number for this vulnerability.
     2020.11.09 - Barco shares CVE number with KoreLogic and announces
                  their intention to release the updated firmware
                  ahead of schedule, on 2020.11.11. Request that KoreLogic
                  delay public disclosure until 2020.11.20.
     2020.11.11 - Barco firmware release.
     2020.11.20 - KoreLogic public disclosure.


7. Proof of Concept

     See section (3) Technical Description.



The contents of this advisory are copyright(c) 2020
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt
|参考资料

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/160161/Barco-wePresent-Authentication-Bypass.html