Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-56477 PoC — IBM Power Hardware Management Console 路径遍历漏洞

Source
https://github.com/0xbughunter/CVE-2024-56477
Associated Vulnerability
Title:IBM Power Hardware Management Console 路径遍历漏洞 (CVE-2024-56477)
Description:IBM Power Hardware Management Console(HMC)是美国国际商业机器(IBM)公司的一套用于配置和管理Power System系列服务器的图形界面软件。该软件主要用于管理服务器等硬件。 IBM Power Hardware Management Console存在路径遍历漏洞,该漏洞源于允许经过身份验证的用户遍历系统上的目录。
Readme
# CVE-2024-56477: Able to traverse through directories from a restricted environment and access Power Hardware Management Console (HMC) source code

## Description

A privieleged user could identify the location of the source code from the already running process and completely access it via scp. The issue arises because of insufficient authorization controls configured for a low privileged user, a possible way of bypassing restricted bash. 

- **Vulnerability Type**: Directory Traversal
- **Severity**: Medium (CVSS: 6.5)
- **Impact**: Restricted Bash Breakout

### Summary

After escaping the restricted shell, an attacker could access sensitive data and files that were previously inaccessible.
Also If an attacker successfully breaks out of the restricted Bash environment, they may gain access to a broader set of system privileges, potentially escalating from a low-privileged user to a higher one.

---

## Affected Versions

The following versions of Power  are impacted by this vulnerability:

- Power Hardware Management Console (HMC) V10.3.1050.0	
- Affected on Linux platform

---

## Reproduction Steps

To reproduce this vulnerability, follow the steps below:

1. Access the restricted bash environment and from there navigate to the folder where process related information is stored.
2. For each and every process running in the system there will be a process id folder created and correponding cmdline file.
3. Read the cmdline file that's available agasint each of the process ids and you will end up finding location of the source code.
   <img width="1712" alt="01" src="https://github.com/user-attachments/assets/ad3b2449-f854-4b6b-97b8-87d4297f1d4b" />
5. Now using the scp command download the source code via the identified path.
   <img width="1712" alt="02" src="https://github.com/user-attachments/assets/d2b59f32-6be1-4bb5-a6a5-ab51fa85603b" />
   <img width="1683" alt="03" src="https://github.com/user-attachments/assets/d0d2f2d9-9b05-410e-bb5d-05539440a78c" />
File Snapshot

 [4.0K]  /data/pocs/889ae4f3247cbc1c8a1eff91034ba6938d204fc3
└── [2.0K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.