CVE-2017-9377

Command Injection Vulnerability on ClickShare Base Units

Publish date

September 2017

Identifier

CVE-2017-9377

Manufacturer

Barco

Product

ClickShare Base Units

Patched

ClickShare CSM-1 Base Unit Firmware v1.7.0.3
https://www.barco.com/en/Support/software/R33050037 

ClickShare CSC-1 Base Unit Firmware v1.10.0.10
https://www.barco.com/en/support/software/R33050020 

Authors

Claudio Moletta

Description

The Barco ClickShare Base Unit was found to be vulnerable to multiple command injection vulnerabilities in the web API interface.

This may allow an attacker to run commands on the remote system with the privileges of root user. 

When exploiting this issue, Context was able to create an additional local user with maximum privileges, use the SSH service for a full and reliable access to the device and further compromise the ClickShare USB Buttons.

The affected versions are:

  • ClickShare CSM-1 Base Unit Firmware older than v1.7.0.3
  • ClickShare CSC-1 Base Unit Firmware older than v1.10.0.10
     

Details of Exploitation

The vulnerable code is within a function that manages the PUT HTTP requests. An attacker would need valid credentials to perform this attack, however there is a default user account called “integrator” with password “integrator”. 

As shown in the image below, input from the user is used within an OS system command without being sanitised.

Code execution can be obtained by modifying and then running the following command:

curl -v -i --user integrator:integrator --digest -X PUT 
http://1.1.1.1:4000/v1.0/OnScreenText/MeetingRoomName --data 
"value=TESTDEVICE'; INSERT COMMAND HERE; #"

To gain a shell on the remote system, the security team used the following technique:

  • Create a custom reverse PHP shell or using publicly available tools (metasploit or fuzzdb)
  • Start a webserver on the attacker’s machine
  • Download the PHP shell on the remote system using curl (using the command injection shown above)
  • Start the listener on the attacker’s machine
  • Run the PHP reverse shell (using the command injection shown above)

The screenshot below shows the shell obtained by following the above steps:

CREST
CREST STAR
CHECK IT Health Check Service
CTAS - CESG Tailored Assurance Service
CBEST
Cyber Essentials
CESG Certified Product
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326
PCI - Approved Scanning Vendor