Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-36401 PoC — Remote Code Execution (RCE) vulnerability in evaluating property name expressions in Geoserver

Source
https://github.com/Chocapikk/CVE-2024-36401
Associated Vulnerability
Title:Remote Code Execution (RCE) vulnerability in evaluating property name expressions in Geoserver (CVE-2024-36401)
Description:GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
Description
GeoServer Remote Code Execution
Readme
# 🚀 GeoServer Exploit for CVE-2024-36401 🚀


## 📝 Description

**GeoServer** is an open-source Java-based software server that enables users to view, edit, and share geospatial data. It offers a versatile and efficient solution for distributing geospatial information from various sources such as GIS databases, web-based data, and personal datasets.

In versions of GeoServer earlier than **2.23.6**, versions **2.24.0** to **2.24.3**, and versions **2.25.0** to **2.25.0**, there exists a vulnerability (**CVE-2024-36401**) that permits Remote Code Execution (RCE) by unauthenticated users. This issue arises from the unsafe evaluation of property names as XPath expressions in multiple OGC request parameters.

Exploiting this vulnerability, an attacker can send a POST request containing a malicious XPath expression, which can result in arbitrary command execution as root on the system running GeoServer.

## 🛠️ Setup

### Requirements
Install the required libraries using pip:
```sh
pip install -r requirements.txt
```

## 🚀 Usage

1. Clone the repository:
    ```sh
    git clone https://github.com/Chocapikk/CVE-2024-36401.git
    cd CVE-2024-36401
    ```

2. Run the exploit script with the required parameters:
    ```sh
    python exploit.py -u <target_url> -ip <your_ip> -port <your_port> [--proxy <proxy_url>] [--bind-host <bind_host>] [--bind-port <bind_port>]
    ```

### Example:
```sh
python exploit.py -u http://localhost:8080 -ip 192.168.1.36 -port 1337 --proxy http://127.0.0.1:8081
```

## 📜 Example Output
![Test](geo.png)

## 🙏 Credits

This exploit code was created by:
- [Chocapikk](https://github.com/Chocapikk)
- [K3ysTr0K3R](https://github.com/K3ysTr0K3R)

## ⚠️ Disclaimer

This exploit is for educational purposes only. Use it at your own risk. The author is not responsible for any damage caused by this code.
File Snapshot

 [4.0K]  /data/pocs/3cc1cf593c87f329aaeb9705f63d604471cdf916
├── [6.7K]  exploit.py
├── [140K]  geo.png
├── [1.8K]  README.md
└── [  30]  requirements.txt

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →