module

JetBrains TeamCity Unauthenticated Remote Code Execution

Disclosed
Mar 4, 2024
Created
Mar 14, 2024

Description

This module exploits an authentication bypass vulnerability in JetBrains TeamCity. An unauthenticated
attacker can leverage this to access the REST API and create a new administrator access token. This token
can be used to upload a plugin which contains a Metasploit payload, allowing the attacker to achieve
unauthenticated RCE on the target TeamCity server. On older versions of TeamCity, access tokens do not exist
so the exploit will instead create a new administrator account before uploading a plugin. Older version of
TeamCity have a debug endpoint (/app/rest/debug/process) that allows for arbitrary commands to be executed,
however recent version of TeamCity no longer ship this endpoint, hence why a plugin is leveraged for code
execution instead, as this is supported on all versions tested.

Author

sfewer-r7

Platform

Java,Linux,Unix,Windows

Architectures

java, cmd

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


msf > use exploit/multi/http/jetbrains_teamcity_rce_cve_2024_27198
msf exploit(jetbrains_teamcity_rce_cve_2024_27198) > show targets
...targets...
msf exploit(jetbrains_teamcity_rce_cve_2024_27198) > set TARGET < target-id >
msf exploit(jetbrains_teamcity_rce_cve_2024_27198) > show options
...show and set options...
msf exploit(jetbrains_teamcity_rce_cve_2024_27198) > exploit

Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.