Command Injection Vulnerability on ClickShare Base Units

Publish date

September 2017






ClickShare Base Units


ClickShare CSM-1 Base Unit Firmware v1.7.0.3 

ClickShare CSC-1 Base Unit Firmware v1.10.0.10 


Claudio Moletta


The Barco ClickShare Base Unit was found to be vulnerable to multiple command injection vulnerabilities in the web API interface.

This may allow an attacker to run commands on the remote system with the privileges of root user. 

When exploiting this issue, Context was able to create an additional local user with maximum privileges, use the SSH service for a full and reliable access to the device and further compromise the ClickShare USB Buttons.

The affected versions are:

  • ClickShare CSM-1 Base Unit Firmware older than v1.7.0.3
  • ClickShare CSC-1 Base Unit Firmware older than v1.10.0.10

Details of Exploitation

The vulnerable code is within a function that manages the PUT HTTP requests. An attacker would need valid credentials to perform this attack, however there is a default user account called “integrator” with password “integrator”. 

As shown in the image below, input from the user is used within an OS system command without being sanitised.

Code execution can be obtained by modifying and then running the following command:

curl -v -i --user integrator:integrator --digest -X PUT --data 

To gain a shell on the remote system, the security team used the following technique:

  • Create a custom reverse PHP shell or using publicly available tools (metasploit or fuzzdb)
  • Start a webserver on the attacker’s machine
  • Download the PHP shell on the remote system using curl (using the command injection shown above)
  • Start the listener on the attacker’s machine
  • Run the PHP reverse shell (using the command injection shown above)

The screenshot below shows the shell obtained by following the above steps:


CHECK IT Health Check Service
Cyber Essentials
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326
PCI - Approved Scanning Vendor
NCSC CCSC - Assured Service Provider
ASSURE Cyber Supplier - CAA