Magewell Pro Convert Cross-Site Request Forgery Vulnerability Allowing Arbitrary Account Creation

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Magewell Pro Convert application, specifically in version 1.2.213. The issue resides within the '/mwapi?method=add-user' endpoint, where the absence of proper CSRF protections allows attackers to create user accounts arbitrarily by sending a crafted GET request. This vulnerability exploits the endpoint's lack of validation for CSRF tokens, Origin/Referer headers, and HTTP method restrictions, enabling the unauthorized creation of administrative accounts.

Impact

Exploitation of this vulnerability allows for unauthorized creation of user accounts, including administrative accounts, which could lead to full device compromise by granting persistent administrative access.

Reproduction

To reproduce this vulnerability, ensure the target Magewell Pro Convert device is running firmware v1.2.213. Log in to the web interface as an administrator. Then, host a malicious HTML page that includes a form targeting the '/mwapi?method=add-user' endpoint. This form should include the necessary parameters to create a user account, such as 'id', 'pass' (MD5 hash of the password), and 'is-admin' set to '1'. Trick the administrator into visiting the page, which will automatically submit the form using their active session, resulting in the creation of a new administrative user on the device.

Remediation

Users are advised to upgrade to a firmware version that addresses this vulnerability. Contact Magewell for the latest secure release. Additionally, implement proper CSRF protections by using anti-CSRF tokens, enforcing POST methods for state-changing operations, and validating Origin/Referer headers. Restrict access to the management interface by disabling remote access or placing it behind a VPN.