来源

关联漏洞

介绍

# 🛡️ SOC287 - Arbitrary File Read on Checkpoint Security Gateway [CVE-2024-24919]

**Date:** Jun 06, 2024  
**Investigation Type:** Web Attack  
**Platform:** LetsDefend  
**Rule Triggered:** SOC287 – Arbitrary File Read Detected  
**CVE:** [CVE-2024-24919](https://nvd.nist.gov/vuln/detail/CVE-2024-24919)  
**Severity:** High  
**Impact:** Unauthorized access to sensitive system files via path traversal

---

## 📌 Summary

On June 6, 2024, an alert was triggered on the `CP-Spark-Gateway-01` indicating a successful exploit attempt of **CVE-2024-24919**, a zero-day arbitrary file read vulnerability affecting Check Point Security Gateways.

A POST request containing a path traversal payload (`aCSHELL/../../../../../../../../../../etc/passwd`) was sent from a malicious IP `203.160.68.12` (ChinaUnicom, Hong Kong). The payload successfully accessed the target system’s `/etc/passwd` file as confirmed by an HTTP `200 OK` status.

---

## 🧪 Technical Details

| Field | Value |
|-------|-------|
| **Source IP** | `203.160.68.12` |
| **Destination IP** | `172.16.20.146` |
| **Hostname** | `CP-Spark-Gateway-01` |
| **User-Agent** | Firefox/126.0 |
| **Request** | `aCSHELL/../../../../../../../../../../etc/passwd` |
| **Status Code** | `200 OK` |
| **Exploit Type** | Path Traversal |
| **Potential Outcome** | Credential harvesting, privilege escalation |

---

## 🛠️ Tools Used

- [VirusTotal](https://www.virustotal.com)
- [AbuseIPDB](https://www.abuseipdb.com)
- ChatGPT (for deeper behavioral analysis)

---

## ⚠️ IPs to also be looked into

- `10.0.0.5`
- `10.0.0.10`
- `203.160.68.13`
- `192.168.1.100`

---

## 🧩 Response Actions

- 🚫 Blocked malicious IP
- 🔄 Applied patch [sk182336](https://support.checkpoint.com/results/sk/sk182336)
- 🔍 Reviewed access logs for similar patterns
- 🧵 Escalated to Tier 2 for deeper forensics

---

## 📸 Screenshots

## 📸 Screenshots

### About the Attack
![About Screenshot 1](/about1.png)  
![About Screenshot 2](/about2.png)

### Exploit Details
![Exploit Step 3](/3.png)  
![Alert Triggered](/alert.png)

### Analysis & Enrichment
![AbuseIPDB Result](/abusseip.png)  
![VirusTotal Result](/virusto.png)

### Notes & Markings
![Annotated Screenshot](/marks.png)

文件快照

 [4.0K]  /data/pocs/9b0d4bb3688c6bad288822de2853ed8820a0ac3d
├── [ 60K]  about1.png
├── [ 84K]  about2.png
├── [ 46K]  about3.png
├── [125K]  abusseip.png
├── [ 37K]  alert.png
├── [169K]  marks.png
├── [2.2K]  README.md
└── [107K]  virusto.png

0 directories, 8 files

备注