Goal Reached Thanks to every supporter β€” we hit 100%!

Goal: 1000 CNY Β· Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-24919 PoC β€” Information disclosure

Source
https://github.com/CyprianAtsyor/CVE-2024-24919-Incident-Report.md
Associated Vulnerability
Title:Information disclosure (CVE-2024-24919)
Description:Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available.
Readme
# πŸ›‘οΈ SOC287 - Arbitrary File Read on Checkpoint Security Gateway [CVE-2024-24919]

**Date:** Jun 06, 2024  
**Investigation Type:** Web Attack  
**Platform:** LetsDefend  
**Rule Triggered:** SOC287 – Arbitrary File Read Detected  
**CVE:** [CVE-2024-24919](https://nvd.nist.gov/vuln/detail/CVE-2024-24919)  
**Severity:** High  
**Impact:** Unauthorized access to sensitive system files via path traversal

---

## πŸ“Œ Summary

On June 6, 2024, an alert was triggered on the `CP-Spark-Gateway-01` indicating a successful exploit attempt of **CVE-2024-24919**, a zero-day arbitrary file read vulnerability affecting Check Point Security Gateways.

A POST request containing a path traversal payload (`aCSHELL/../../../../../../../../../../etc/passwd`) was sent from a malicious IP `203.160.68.12` (ChinaUnicom, Hong Kong). The payload successfully accessed the target system’s `/etc/passwd` file as confirmed by an HTTP `200 OK` status.

---

## πŸ§ͺ Technical Details

| Field | Value |
|-------|-------|
| **Source IP** | `203.160.68.12` |
| **Destination IP** | `172.16.20.146` |
| **Hostname** | `CP-Spark-Gateway-01` |
| **User-Agent** | Firefox/126.0 |
| **Request** | `aCSHELL/../../../../../../../../../../etc/passwd` |
| **Status Code** | `200 OK` |
| **Exploit Type** | Path Traversal |
| **Potential Outcome** | Credential harvesting, privilege escalation |

---

## πŸ› οΈ Tools Used

- [VirusTotal](https://www.virustotal.com)
- [AbuseIPDB](https://www.abuseipdb.com)
- ChatGPT (for deeper behavioral analysis)

---

## ⚠️ IPs to also be looked into

- `10.0.0.5`
- `10.0.0.10`
- `203.160.68.13`
- `192.168.1.100`

---

## 🧩 Response Actions

- 🚫 Blocked malicious IP
- πŸ”„ Applied patch [sk182336](https://support.checkpoint.com/results/sk/sk182336)
- πŸ” Reviewed access logs for similar patterns
- 🧡 Escalated to Tier 2 for deeper forensics

---

## πŸ“Έ Screenshots

## πŸ“Έ Screenshots

### About the Attack
![About Screenshot 1](/about1.png)  
![About Screenshot 2](/about2.png)

### Exploit Details
![Exploit Step 3](/3.png)  
![Alert Triggered](/alert.png)

### Analysis & Enrichment
![AbuseIPDB Result](/abusseip.png)  
![VirusTotal Result](/virusto.png)

### Notes & Markings
![Annotated Screenshot](/marks.png)
File Snapshot

 [4.0K]  /data/pocs/9b0d4bb3688c6bad288822de2853ed8820a0ac3d
β”œβ”€β”€ [ 60K]  about1.png
β”œβ”€β”€ [ 84K]  about2.png
β”œβ”€β”€ [ 46K]  about3.png
β”œβ”€β”€ [125K]  abusseip.png
β”œβ”€β”€ [ 37K]  alert.png
β”œβ”€β”€ [169K]  marks.png
β”œβ”€β”€ [2.2K]  README.md
└── [107K]  virusto.png

0 directories, 8 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers β€” if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online β€” thank you for the support. View subscription plans β†’