Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-36401 PoC — Remote Code Execution (RCE) vulnerability in evaluating property name expressions in Geoserver

Source
https://github.com/RevoltSecurities/CVE-2024-36401
Associated Vulnerability
Title:Remote Code Execution (RCE) vulnerability in evaluating property name expressions in Geoserver (CVE-2024-36401)
Description:GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
Description
Exploiter a Vulnerability detection and Exploitation tool for GeoServer Unauthenticated Remote Code Execution CVE-2024-36401.
Readme
# CVE-2024-36401: GeoServer Unauthenticated Remote Code Execution 

Exploiter a Vulnerability detection and Exploitation tool for GeoServer Unauthenticated Remote Code Execution CVE-2024-36401.

<h1 align="center">
  <img src="https://github.com/RevoltSecurities/CVE-2024-36401/assets/119435129/51cc68f7-b2fa-4d6c-9e5d-84fbbc5923cd" width="2000px">
</h1>
  <br>


### Installation

```bash
git clone https://github.com/RevoltSecurities/CVE-2024-36401.git
cd CVE-2024-34102
pip install -r requirements.txt
python3 exploiter.py --help
```
### Build Your Testing lab:
```bash
sudo docker-compose up -d # To start your vulnerable instance and locate to http://0.0.0.0:8080
sudo docker-compose down # To stop your vulnerable instance.
```

### Usage:

```yaml
python3 exploit.py -h                       


    ______     ____  __         _ ______         
   / ____/  __/ __ \/ /  ____  (_)_  __/__  _____
  / __/ | |/_/ /_/ / /  / __ \/ / / / / _ \/ ___/
 / /____>  </ ____/ /__/ /_/ / / / / /  __/ /    
/_____/_/|_/_/   /_____|____/_/ /_/  \___/_/     
  
                    @RevoltSecurities

[Description]: Vulnerability Detection and Exploitation tool for CVE-2024-36401

options:
  -h, --help            show this help message and exit
  -u URL, --url URL     [INF]: Specify a URL or domain for vulnerability detection
  -l LIST, --list LIST  [INF]: Specify a list of URLs for vulnerability detection
  -t THREADS, --threads THREADS
                        [INF]: Number of threads for list of URLs
  -proxy PROXY, --proxy PROXY
                        [INF]: Proxy URL to send request via your proxy
  -v, --verbose         [INF]: Increases verbosity of output in console
  -o OUTPUT, --output OUTPUT
                        [INF]: Filename to save output of vulnerable target]


```
File Snapshot

 [4.0K]  /data/pocs/c92a09fdb3241cb590b0441f221c5f06eacfab58
├── [ 108]  docker-compose.yaml
├── [ 12K]  exploit.py
├── [1.7K]  README.md
└── [ 158]  requirements.txt

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →