[+] CVE ID: Pending - CVE-2017-14971
[+] Credits: Brett DeWall aka @xbadbiddyx & Joshua Platz aka Binary1985 @joshuaplatz
[+] Websites: https://github.com/badbiddy & https://github.com/binary1985
[+] Source: https://raw.githubusercontent.com/badbiddy/Vulnerability-Disclosure/master/InFocus%20Mondopad%20%3C%202.2.08%20-%20CVE-2017-14971

Vendor:
==========================
InFocus 
https://www.infocus.com/


Product:
===========
InFocus Mondopad
Version: 2.2.08

Mondopad is an elegant all-in-one touchscreen collaboration system for efficient face-to-face collaboration 
with people anywhere. Video conference, whiteboard, share data, etc.


Vulnerability Type:
==========================
Sensitive Hashed Credential Disclosure


Vulnerability Details:
=====================
Infocus Mondopad is vulnerable to a Hashed Credential Disclosure vulnerability. An authenticated user can upload a
malicious file, or an unauthenticated user can break out of Kiosk Mode and manually upload a malicious file which when
opened and clicked will create a SMB request to a rogue server. This rogue server will capture the NetNTLMv2 hash
and could relay this hash to another system configured with the same credentials not requiring SMB Signing.


Replication:
=====================
1) Malicious file can be uploaded (Excel spreadsheet) containing a UNC
path(hyperlink) to the Mondopad server.

2) User then opens the spreadsheet and click the embedded UNC link. 

3) The rogue server is able to capture the hashed SMB credential over the network. This type of an
attack can also be used to relay this credentials if configured the
same on other hosts.


Remediation Details:
=====================
Lockdown the specific functionality of various addons (Microsoft Office products) within the application to prevent 
malicious use.


Timeline:
=====================
2017-09-29 - Issue Reported to Vendor


[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

badbiddy