The Barco ClickShare CSM-1 is a wireless presentation and collaboration system, that allows any meeting participant to share content on the central meeting room screen. Like many modern devices, it uses a web server for remote device configuration and maintenance. By default, the device installs with default administrator credentials (admin / admin) that can be changed after authenticating. These credentials can also be used to exploit multiple post-authentication remote command execution flaws. CVE-2015-6532 - The first issue is due to the getLastCommitTimeStamp.php script not properly sanitizing user-supplied input to the id POST parameter. Supplying a Unix-based command between semi-colons (e.g. ;id;), the application will execute the command on the underlying operating system. Since the web server (lighttpd/1.4.26) runs with root privileges, this flaw can be used to take complete control of the device. Version 01.05.00.0032 was tested and found to be vulnerable, while 01.07.00.33 was not. Barco has since said that the 01.0.5x line has been "withdrawn as beta", while fixing it in a different code tree. CVE-2015-6533 - The second issue is due to the /index.php/centralstore script not properly sanitizing user-supplied input when called with the docommand command. Supplying a Unix-based command between single quotes and semi-colons (e.g. ' ; id ; '), the application will execute the command on the underlying operating system. Since the web server (lighttpd/1.4.26) runs with root privileges, this flaw can be used to take complete control of the device. Based on the command invoked, the POST parameter required will change. For example, the addObject command would inject via the name parameter, and the unpairDongle command would inject via the serialnr parameter. Version 01.07.00.0033, the latest available at the time of testing, is affected. While not a vulnerability, Tenable engineers noticed a clever utility included with the application, and would like to give props to Barco engineers: # cat cn.php
This Cyber News was published on www.tenable.com. Publication date: Fri, 08 Dec 2023 08:53:04 +0000