Authentication Vulnerabilities Identified in Projector Firmware

The manufacturer of a popular projector found primarily in classrooms is neglecting to address several authentication bugs that exist in the device that could open it up to hacks.

It’s technically the firmware for the projector, InFocus IN3128HD, version 0.26, that’s vulnerable. The web interface requires an admin password to view or modify the device’s configuration parameters but thanks to an authentication bypass in the firmware, if an attacker simply knows the name of the page (main.html) that users are directed to after they correctly login (index.html) they can get there.

“The restricted pages contain no control whatsoever of logged or unauthenticated users,” according to Joaquin Rodriguez Varela, a researcher with Core Security’s CoreLabs, who discovered the vulnerability. “The login only checks the entered password and does not generate a session cookie if the user logs in correctly.”

By exploiting the vulnerability (CVE-2014-8383) and entering a URL, an attacker can easily bypass that login page.

From here an attacker could gain and modify any information about the network (network mask, DNS server, gateway, etc.) or WiFi configuration, including its password.

The projector is also missing authentication for its “webctrl.cgi.elf” CGI file, which is used by the web server to apply configuration modifications and changes.

Verela points out that if an attacker wanted to, he could use the file to modify parameters inside the device like its DHCP Server configuration, its IP configuration, as well as remotely reboot the device, and change its hostname.

InFocus, an Oregon-based company that makes video and communication products, was not the most receptive when it came to addressing Varela’s discovery. It took Core and Varela multiple inquiries – emails, tweets, even LinkedIn messages – to get hold of someone at the company. After a few days of back-and-forth, an official from InFocus claimed they “no longer had any desire to see the advisory” and that Core could post their advisory if they wanted.

Since it appears InFocus is not going to fix the issue, Core is encouraging affected users to avoid connecting any vulnerable devices to a remotely accessible network, as that could open the projector up to attacks.

Officials at InFocus said they investigated the report and didn’t find a risk for customers.

“After investigating the issue, we concluded that issue does not put customers’ content at risk. A would-be attacker would have access only to the projector’s on-board settings and power on/off functionality. InFocus strives to protect the security and privacy of our customers and will ensure extra security changes are made to future products,” said Dave Duncan, product manager at InFocus.

_This article was updated on April 29 to add the comment from InFocus. _