Investigating Two TeamCity Authentication Bypass Vulnerabilities

Vulnerability exploits are the third most traditional methodology that cybercriminals fracture salvage admission to to specialise in organizations, surpassed simplest by credential stealing and phishing in 2023. Once illicit salvage admission to is achieved, intruders can commence ransomware assaults, exfiltrate pretty recordsdata on the market in darknet boards or develop legend takeovers, amongst an in depth array of alternative alternate solutions to inflict hurt. 

I highly motivate you to inquire of “Securing the Top 3 SME Attack Vectors” for a deeper technical dive into the mechanics and mitigations of vulnerability exploitation, as successfully as credential stealing and phishing. It affords knowledgeable insights and recommendation for I.T. security teams at minute-to-medium enterprises to forestall, detect and remediate today’s most urgent threats — without the sprawling security workers or easy-take a look at budgets of a Fortune 500.

EHA

Investigating Two TeamCity Authentication Bypass Vulnerabilities 42

On this half, we’ll unpack a explicit example that affected organizations worldwide. Two authentication bypass vulnerabilities affecting TeamCity On-Premises were disclosed in March.

  1. CVE-2024-27198, which is serious severity (CVSS 9.8)
  2. CVE-2024-27199, which is high severity (CVSS 7.3).

TeamCity is a most fashionable CI/CD resolution weak to construct and take a look at tool merchandise in an computerized manner.

Profitable exploitation of CVE-2024-27198, the extra serious of the two vulnerabilities, permits a distant unauthenticated attacker total possess watch over over the TeamCity server. This raises predominant concerns about utilizing the vulnerability to elevate present chain assaults.

Many of over 2,000 TeamCity servers uncovered to the glean were no longer speedily patched. 

The vulnerabilities were viewed exploited in the wild, as evidenced by a surge of hundreds of as a lot as the moment admin particular person creations which were noticed on unpatched TeamCity servers.

A map of the world with crimson countries/regions  Description automatically generated

Shadowserver, a nonprofit security group that gathers and analyzes recordsdata on malicious Web activities, recorded thousands of attempts to exploit the CVE-2024-27198 vulnerability:

A blue triangle with numbers and a white background  Description automatically generated

Affected Versions

The vulnerabilities influence all TeamCity On-Premises variations thru 2023.11.3.

The ideal device to Exploit CVE-2024-27198

The first of two relevant vulnerabilities, CVE-2024-27198 stems from the class “jetbrains.buildServer.controllers.BaseController” in the “web-openapi.jar” library, and the device it handles web requests.

  • The class “BaseController” makes use of the methodology “handleRequestInternal” to carrier web requests.
  • If the query finally ends up no longer being redirected (HTTP 302), the methodology “updateViewIfRequestHasJspParameter” is known as.
A show cloak shot of a laptop program  Description automatically generated
Investigating Two TeamCity Authentication Bypass Vulnerabilities 43

Within the “updateViewIfRequestHasJspParameter” methodology, the Boolean variable “isControllerRequestWithViewName” checks two conditions: 

  1. If “modelAndView” has a reputation and the 2d, 
  2. If the servlet direction of the query doesn’t cease in “.jsp”

Then the “getJspFromRequest” methodology is known as and its output is transferred to the methodology “ModelAndView.setViewName”.

A screenshot of a laptop  Description automatically generated

Reviewing the “getJspFromRequest” methodology minute print we can inquire of that it pulls the HTTP parameter “jsp” from the glean query. The parameter is examined to examine that it ends with “.jsp” and does no longer possess the droop “admin/”.

A show cloak shot of a laptop  Description automatically generated

Given this recordsdata, an attacker can manipulate their web query to salvage admission to arbitrary endpoints without authentication if they fulfill the total following conditions:

  • Inquiring for an unauthenticated and non-existing handy resource. For instance: “/hax”.
    • It’ll trigger a response from the server that generates a servlet direction of “/404.html”, which is every no longer a redirect response, and does no longer cease in “.jsp”.
  • Environment the mark of the “jsp” parameter in the query as the authenticated handy resource the attacker desires to salvage admission to.
    • This will moreover be performed by appending an HTTP quiz string, a lot like “?jsp=/app/leisure/server”
  • Making certain that the droop requested ends with “.jsp”.
    • This will moreover be performed by appending “;.jsp” to the query.
      Rb4rdrNumNKDR3lnQnREoBc7BPHkcTPoS1sxt9A8Syvb M8l7v tgmQ5HB3NPSsd88RBi16NT YgOMeEqo090piEN4gTs3pNZ11wRS6lkyQVYNLknbPfNcMpCi9tVpogGSPkCUY mhCsI1BbJE KP4M83aQphY0s
A laptop show cloak with white text  Description automatically generated
Investigating Two TeamCity Authentication Bypass Vulnerabilities 44

Exploiting this vulnerability bypasses authentication, granting an attacker chubby salvage admission to to the server by performing no doubt one of many following actions:

  1. The attacker can manipulate the “/app/leisure/users” endpoint to remotely manufacture a unique admin legend on the server:
    A laptop show cloak with white text  Description automatically generated
  2. The attacker could additionally generate a unique administrator salvage admission to token:
    A show cloak shot of a laptop  Description automatically generated

The ideal device to exploit CVE-2024-27199

The 2d vulnerability, CVE-2024-27199, is an authentication bypass vulnerability that makes use of Direction Traversals. Several paths in the TeamCity server were came across to be at risk of direction traversals, alongside with:

  • /res/
  • /update/
  • /.renowned/acme-mission/

The use of these paths, an attacker can bypass authentication to salvage admission to a restricted number of sources that leak recordsdata and, in some instances, even enable the modification of settings. For instance, on the total the handy resource “/admin/diagnostic.jsp” does no longer enable unauthenticated salvage admission to:

A screenshot of a laptop  Description automatically generated

Nevertheless, when leveraging the droop traversal vulnerability and utilizing the droop “/res/../admin/diagnostic.jsp”, salvage admission to is granted:

A screenshot of a laptop program  Description automatically generated

This vulnerability could moreover be exploited by an attacker to cause a denial-of-carrier on the server by concentrating on the endpoint “/app/https/settings/uploadCertificate”. An attacker can use this endpoint to add their certificates on the server and replace its listening port.

To fracture this, a POST query to the droop “/res/../app/https/settings/uploadCertificate” with the created certificates could moreover be made:

A screenshot of a laptop  Description automatically generated

A inquire of in all places in the server’s settings exhibits that the modifications were indeed made:

A screenshot of a laptop  Description automatically generated
Investigating Two TeamCity Authentication Bypass Vulnerabilities 45

How Can We Mitigate This?

Update TeamCity to doubtlessly the most fashionable model (2023.11.4) by utilizing the computerized update possibility in the TeamCity server or, alternatively, by manually downloading the unique model by skill of the JetBrains web enviornment.

For purchasers who can not upgrade the server, JetBrains affords a security patch plugin that will patch the vulnerabilities on all TeamCity variations:

Conclusion

For additional guidance to safeguarding your SME, inquire of “Securing the Top 3 SME Attack Vectors.” And be definite your crew is empowered by an life like, easy to make use of resolution, a lot like Cynet’s All-in-One Cybersecurity Resolution, which is purpose-constructed for minute teams. Despite all the pieces, the manner forward to your group is simply too major to gamble.