POC详情: 889ae4f3247cbc1c8a1eff91034ba6938d204fc3

来源
https://github.com/0xbughunter/CVE-2024-56477
关联漏洞
标题: IBM Power Hardware Management Console目录遍历漏洞 (CVE-2024-56477)
描述:IBM Power Hardware Management Console V10.3.1050.0 存在目录遍历漏洞。攻击者可以通过发送特制的包含 "dot dot" 序列(/../)的 URL 请求,来查看系统上的任意文件。
介绍
# CVE-2024-56477: Able to traverse through directories from a restricted environment and access Power Hardware Management Console (HMC) source code

## Description

A privieleged user could identify the location of the source code from the already running process and completely access it via scp. The issue arises because of insufficient authorization controls configured for a low privileged user, a possible way of bypassing restricted bash. 

- **Vulnerability Type**: Directory Traversal
- **Severity**: Medium (CVSS: 6.5)
- **Impact**: Restricted Bash Breakout

### Summary

After escaping the restricted shell, an attacker could access sensitive data and files that were previously inaccessible.
Also If an attacker successfully breaks out of the restricted Bash environment, they may gain access to a broader set of system privileges, potentially escalating from a low-privileged user to a higher one.

---

## Affected Versions

The following versions of Power  are impacted by this vulnerability:

- Power Hardware Management Console (HMC) V10.3.1050.0	
- Affected on Linux platform

---

## Reproduction Steps

To reproduce this vulnerability, follow the steps below:

1. Access the restricted bash environment and from there navigate to the folder where process related information is stored.
2. For each and every process running in the system there will be a process id folder created and correponding cmdline file.
3. Read the cmdline file that's available agasint each of the process ids and you will end up finding location of the source code.
   <img width="1712" alt="01" src="https://github.com/user-attachments/assets/ad3b2449-f854-4b6b-97b8-87d4297f1d4b" />
5. Now using the scp command download the source code via the identified path.
   <img width="1712" alt="02" src="https://github.com/user-attachments/assets/d2b59f32-6be1-4bb5-a6a5-ab51fa85603b" />
   <img width="1683" alt="03" src="https://github.com/user-attachments/assets/d0d2f2d9-9b05-410e-bb5d-05539440a78c" />
文件快照

 [4.0K]  /data/pocs/889ae4f3247cbc1c8a1eff91034ba6938d204fc3
└── [2.0K]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。