Skip to content

Client Implementation for the WatchGuard SSO Agent Protocol used for Security Research (CVE-2024-6592, CVE-2024-6593, CVE-2024-6594)

License

Notifications You must be signed in to change notification settings

RedTeamPentesting/watchguard-sso-client

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 

Repository files navigation

Proof of Concept for Watchguard SSO Agent Vulnerabilitites (CVE-2024-6592, CVE-2024-6593, CVE-2024-6594)

Details are described in our advisories available at:

The script requires the Python click library to run.

Examples

Issue Arbitrary Commands to SSO Clients

The subcommand command can be used to issue commands to the Telnet interface of a Watchguard SSO client. For example, the list of currently logged-in users can be retrieved:

$ ./wgclient.py command --host 'client.domainname' 'get user a'

Retrieve Log files from SSO Clients

The subcommand logfile can be used to retrieve log files of an Watchguard SSO client. The log files may also include crash memory dumps (see CVE-2024-6592 for details).

$ ./wgclient.py logfile --host 'client.domainname'

Calculate Authentication Bypass Secret

The subcommand authbypass can be used to calculated a secret value to login to the Telnet management interface of an Watchguard SSO agent. To secret is calculated from the banner that the agent sends upon connection, which has to be provided as argument. Details are available in the advisory for CVE-2024-6593.

$ ./wgclient.py authbypass 'EVENT 350 log info Connected to [...]'

About

Client Implementation for the WatchGuard SSO Agent Protocol used for Security Research (CVE-2024-6592, CVE-2024-6593, CVE-2024-6594)

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages