lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <aceceee6-31d2-8bd9-13ff-f8e9c84a5ffa@syss.de>
Date: Thu, 4 Jul 2019 09:25:36 +0200
From: Matthias Deeg <matthias.deeg@...s.de>
To: <fulldisclosure@...lists.org>
Subject: [FD] [SYSS-2019-021]: WolfVision Cynap - Use of Hard-coded
 Cryptographic Key (CWE-321)

Advisory ID: SYSS-2019-021

Product: Cynap

Manufacturer: WolfVision

Affected Version(s): 1.18g, 1.28j

Tested Version(s): 1.18g, 1.28j

Vulnerability Type: Use of Hard-coded Cryptographic Key (CWE-321)

Risk Level: High

Solution Status: Fixed

Manufacturer Notification: 2019-05-03

Solution Date: 2019-06-19

Public Disclosure: 2019-07-04

CVE Reference: Not assigned yet

Authors of Advisory: Manuel Stotz, Gerhard Klostermeier (SySS GmbH)



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Overview:



WolfVision Cynap is a wireless collaboration and presentation system.



The manufacturer describes the product as follows [1]:



"Cynap is a stand-alone all-in-one wireless collaboration and

presentation system which includes a built-in media player, web

conferencing, on-board recording and streaming , BYOD screen sharing

for all mobile devices, and annotation functionality, making it the

ideal device to form the centrepiece of new and adapted classrooms and

meeting spaces."



Due to the use of a hard-coded cryptographic key, an attacker can

generate support PINs for resetting the administrative user password in

order to gain administrative access to the device.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Vulnerability Details:



SySS GmbH found out that the WolfVision Cynap wireless collaboration

and presentation system uses a static, hard-coded cryptographic secret

for generating support PINs used for the provided 'forgot password'

functionality.



By knowing this static secret and the corresponding algorithm for

calculating support PINs, an attacker can reset the password of the

administrative user account "ADMIN" and thus gain unauthorized access to

the affected Cynap device via a network connection.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Proof of Concept (PoC):



SySS GmbH developed a software tool for generating support PINs either

in online or offline mode.



The following output of the software tools illustrates a successful

attack resulting in a reset password for the administrative user

account "ADMIN".



$ python ./wolfvision_cynap_keygen.py --online 192.168.40.109

WolfVision vSolution Cynap Keygen

               by

          Manuel Stotz

      Gerhard Klostermeier



[*] Launch keygen in online mode ... [OK]

[*] Gathering data ... [OK]

    [*] Serialnumber: <SERIAL NUMBER>

    [*] Support PIN: 447301

[*] Generating new Support PIN ... [OK]

    [+] New Support PIN: 723247

        [*] Account: ADMIN

        [*] Password: Password

[*] Bye!



A successful attack against a vulnerable WolfVision Cynap device gaining

administrative access is demonstrated in our SySS PoC video

"Administrating WolfVision Cynap the Hacker's Way" [5].



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Solution:



Install the firmware version 1.30j provided by the manufacturer

WolfVision [2].



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Disclosure Timeline:



2019-05-03: Vulnerability reported to manufacturer

2019-05-10: Vulnerability reported to manufacturer again

2019-05-13: Manufacturer confirms receipt of security advisory

2019-05-31: Manufacturer schedules firmware update 1.30j with fix for

            the reported security issue

2019-06-19: Release of firmware update 1.30j including security fix

2019-07-04: Public release of SySS security advisory



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



References:



[1] Product website for WolfVision Cynap


https://www.wolfvision.com/vsolution/index.php/en/presentation-systems/cynap/cynap

[2] WolfVision firmware downloads

    https://wolfvision.com/vsolution/index.php/de/support/downloads

[3] SySS Security Advisory SYSS-2019-021


https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-021.txt

[4] SySS Responsible Disclosure Policy

    https://www.syss.de/en/responsible-disclosure-policy/

[5] SySS Proof-of-Concept Video "Administrating WolfVision Cynap the
Hacker's Way"

    https://youtu.be/veEtiYAWvMY



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Credits:



This security vulnerability was found by Manuel Stotz and Gerhard

Klostermeier of SySS GmbH.



E-Mail: manuel.stotz (at) syss.de

Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Manuel_Stotz.asc

Key fingerprint = F051 5B74 7E70 193E 7F66 0133 E790 F68A BCE6 8C6D



E-Mail: gerhard.klostermeier (at) syss.de

Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Gerhard_Klostermeier.asc

Key fingerprint = 8A9E 75CC D510 4FF6 8DB5 CC30 3802 3AAB 573E B2E7



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Disclaimer:



The information provided in this security advisory is provided "as is"

and without warranty of any kind. Details of this security advisory may

be updated in order to provide as accurate information as possible. The

latest version of this security advisory is available on the SySS Web

site.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Copyright:



Creative Commons - Attribution (by) - Version 3.0

URL: http://creativecommons.org/licenses/by/3.0/deed.en





Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ