WHAT ARE YOU LOOKING FOR?

Popular Tags

Checkpoint Gaia Portal R81.10 Remote Command Execution ≈ Packet Storm

Exploits Affichages : 217
Checkpoint Gaia Portal R81.10 Remote Command Execution ≈ Packet Storm

Home[1] Files[2] News[3] &[SERVICES_TAB] Contact[4] Add New[5]

Checkpoint Gaia Portal R81.10 Remote Command Execution[6]
Authored by Rick Verdoes[7], Danny de Weille[8] | Site pentests.nl[9]

Checkpoint Gaia Portal version R81.10 suffers from a remote command execution vulnerability.

advisories | CVE-2023-28130[10]
SHA-256 | e3571f16ea1f1895e1f3d1d3e71aca6e1afb11e9ca3b63cca4ae86613abe5b3d
Download[11] | Favorite[12] | View[13]

Change Mirror[14] Download[15]

        =========================
Exploit Title: Hostname injection leads to Remote Code Execution RCE (Authenticated)
Product: Gaia Portal
Vendor: Checkpoint
Vulnerable Versions: R81.20 < Take 14, R81.10 < Take 95, R81 < Take 82 and R80.40 < Take 198
Tested Version: R81.10 (take 335)
Advisory Publication: July 27, 2023
Latest Update: July 72, 2023
Vulnerability Type: Improper Control of Generation of Code (Code Injection) [CWE-94]
CVE Reference: CVE-2023-28130
CVSS Severity: High
CVSS Score: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Impact score: 8.4
Credit: Rick Verdoes & Danny de Weille (Hackify | pentests.nl)
=========================
I. BACKGROUND
-------------------------
Check Point Gaia Portal is an advanced web-based interface designed for the configuration of the Gaia platform, a security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. The Gaia Portal allows for nearly all system configuration tasks to be performed through this interface.
II. VULNERABILITY
-------------------------
Check Point Gaia Portal has a vulnerability which allows an authenticated user with write permissions on the DNS settings to inject commands in a cgi script, leading to remote code execution on the operating system. The vulnerability lies in the parameter hostname in the web request /cgi-bin/hosts_dns.tcl, which is susceptible to command injection. This can be exploited by any user with a valid session, as long as the user has write permissions on the DNS settings. The injected commands are executed by the user 'Admin'.
III. Proof of Concept
-------------------------
hostname=name|`COMMAND`&domainname=test.local&save=1
IV. Impact
-------------------------
Successful exploitation allows a remote authenticated attacker to execute commands on the operating system.
V. References
-------------------------
Security advisories:
https://pentests.nl/pentest-blog/cve-2023-28130-command-injection-in-check-point-gaia-portal/
https://support.checkpoint.com/results/sk/sk181311

Login[16] or Register[17] to add favorites

File Archive:

August 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa

File Tags

File Archives

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month[112]
News Tags[113]
Files by Month[114]
File Tags[115]
File Directory[116]
About Us
History & Purpose[117]
Contact Information[118]
Terms of Service[119]
Privacy Statement[120]
Copyright Information[121]
Services
Security Services[122]
Hosting By
Rokasec[123]
close
Image
Back To Top

Pensée du jour :

Ce que l'homme a fait ,

l'homme peut le défaire.

 

"No secure path in the world"

Category

Popular Sections

About