GeoServer Master Password Dump Arbitrary File Write Leading to RCE

Vulnerability Overview An arbitrary file write vulnerability exists in the Master Password Dump page of GeoServer. This vulnerability allows authenticated administrators, who have access to the GeoServer security system, to write arbitrary files to the Master Password Dump page by specifying an arbitrary filename, thereby creating a file containing the plaintext master password. The provided filename must be the absolute path of the target file; the target file must not already exist, and all parent directories must already exist. Affected Versions Affected Versions: - : >= 2.27.0, = 2.27.0, <= 2.27.2 Remediation Fixed Versions: - : 2.27.3 - : 2.26.4 Details Description: - When dumping the master password, GeoServer performs minimal validation on the provided filename, accepting it as long as it is a valid Java File path. The only restriction is that must return false. Previous unrelated vulnerabilities prevented relative path traversal, but absolute paths can be used to access arbitrary files. GeoServer does not enforce a maximum password length by default, allowing administrators to embed malicious code within the password and subsequently dump it into a JSP file. Impact: - Remote Code Execution (High Severity): If GeoServer is deployed in an environment where an attacker can dynamically deploy and execute JSP files, arbitrary code execution may occur. This is possible if the file is simply placed in the default Tomcat installation's directory. - NTLM Hash Disclosure (Medium Severity): If GeoServer is deployed on a Windows operating system and the GeoServer administrator does not have access to the Windows account running the GeoServer process, the administrator may cause GeoServer to initiate an outbound NTLM request to a remote, attacker-controlled server. This could allow the attacker to capture the NTLM hash or user password for future attacks. - Denial of Service (Low Severity): This vulnerability allows files to be written to any location where the GeoServer process has write permissions, potentially leading to some form of denial of service. Mitigation: - GeoServer installations where the web interface is disabled or completely removed are not affected, as the vulnerability resides within a specific web page. References https://osgeo-org.atlassian.net/browse/GEOS-11852

Goal Reached Thanks to every supporter — we hit 100%!

GeoServer Master Password Dump Arbitrary File Write Leading to RCE

More from this source