ClickShare Base Units
ClickShare CSM-1 Base Unit Firmware v220.127.116.11
ClickShare CSC-1 Base Unit Firmware v18.104.22.168
The Barco ClickShare Base Unit was found to be vulnerable to multiple command injection vulnerabilities in the web API interface.
This may allow an attacker to run commands on the remote system with the privileges of root user.
When exploiting this issue, Context was able to create an additional local user with maximum privileges, use the SSH service for a full and reliable access to the device and further compromise the ClickShare USB Buttons.
The affected versions are:
- ClickShare CSM-1 Base Unit Firmware older than v22.214.171.124
- ClickShare CSC-1 Base Unit Firmware older than v126.96.36.199
Details of Exploitation
The vulnerable code is within a function that manages the PUT HTTP requests. An attacker would need valid credentials to perform this attack, however there is a default user account called “integrator” with password “integrator”.
As shown in the image below, input from the user is used within an OS system command without being sanitised.
Code execution can be obtained by modifying and then running the following command:
curl -v -i --user integrator:integrator --digest -X PUT http://188.8.131.52:4000/v1.0/OnScreenText/MeetingRoomName --data "value=TESTDEVICE'; INSERT COMMAND HERE; #"
To gain a shell on the remote system, the security team used the following technique:
- Create a custom reverse PHP shell or using publicly available tools (metasploit or fuzzdb)
- Start a webserver on the attacker’s machine
- Download the PHP shell on the remote system using curl (using the command injection shown above)
- Start the listener on the attacker’s machine
- Run the PHP reverse shell (using the command injection shown above)
The screenshot below shows the shell obtained by following the above steps: