Description
This module exploits an authentication bypass vulnerability in JetBrains TeamCity. An unauthenticated attacker can leverage this to access the REST API and create a new administrator access token. This token can be used to upload a plugin which contains a Metasploit payload, allowing the attacker to achieve unauthenticated RCE on the target TeamCity server. On older versions of TeamCity, access tokens do not exist so the exploit will instead create a new administrator account before uploading a plugin. Older version of TeamCity have a debug endpoint (/app/rest/debug/process) that allows for arbitrary commands to be executed, however recent version of TeamCity no longer ship this endpoint, hence why a plugin is leveraged for code execution instead, as this is supported on all versions tested.
Module options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/multi/http/jetbrains_teamcity_rce_cve_2024_27198msf undefined(jetbrains_teamcity_rce_cve_2024_27198) > show actions ...actions...msf undefined(jetbrains_teamcity_rce_cve_2024_27198) > set ACTION < action-name >msf undefined(jetbrains_teamcity_rce_cve_2024_27198) > show options ...show and set options...msf undefined(jetbrains_teamcity_rce_cve_2024_27198) > runPrioritise with Active Threat Intelligence
With curated Threat Intelligence, you can see which vulnerabilities truly put you at risk, prioritize what matters most, and act before attackers do.
Explore Intelligence Hub