跳转到帖子

JetBrains TeamCity Unauthenticated Remote Code Execution

recommended_posts

发布于
  • Members

JetBrains TeamCity Unauthenticated Remote Code Execution

Disclosed
03/04/2024
Created
03/14/2024

Description

This module exploits an authentication bypass vulnerability in JetBrains TeamCity. An unauthenticated attacker can leverage this to access the REST API and create a new administrator access token. This token can be used to upload a plugin which contains a Metasploit payload, allowing the attacker to achieve unauthenticated RCE on the target TeamCity server. On older versions of TeamCity, access tokens do not exist so the exploit will instead create a new administrator account before uploading a plugin. Older version of TeamCity have a debug endpoint (/app/rest/debug/process) that allows for arbitrary commands to be executed, however recent version of TeamCity no longer ship this endpoint, hence why a plugin is leveraged for code execution instead, as this is supported on all versions tested.

Author(s)

  • sfewer-r7

Platform

Java,Linux,Unix,Windows

Architectures

java, cmd

Development

  • Source Code
  • History
  • 查看数 705
  • 已创建
  • 最后回复

参与讨论

你可立刻发布并稍后注册。 如果你有帐户,立刻登录发布帖子。
注意:你的帖子需要版主批准后才能看到。

游客
回帖…