Investigating Two TeamCity Authentication Bypass Vulnerabilities

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Vulnerability exploits are the third most common way that cybercriminals gain access to target organizations, surpassed only by credential stealing and phishing in 2023. Once illicit access is achieved, intruders can launch ransomware attacks, exfiltrate sensitive data for sale in darknet forums or execute account takeovers, among an extensive array of other options to inflict damage. 

I highly encourage you to watch Securing the Top 3 SME Attack Vectors” for a deeper technical dive into the mechanics and mitigations of vulnerability exploitation, as well as credential stealing and phishing. It offers expert insights and advice for I.T. security teams at small-to-medium enterprises to prevent, detect and remediate today’s most pressing threats — without the sprawling security staff or blank-check budgets of a Fortune 500.

In this piece, we’ll unpack a specific example that affected organizations worldwide. Two authentication bypass vulnerabilities affecting TeamCity On-Premises were disclosed in March.

  1. CVE-2024-27198, which is critical severity (CVSS 9.8)
  2. CVE-2024-27199, which is high severity (CVSS 7.3).

TeamCity is a popular CI/CD solution used to build and test software products in an automated manner.

Successful exploitation of CVE-2024-27198,

Many of over 2,000 TeamCity servers exposed to the internet were not quickly patched. 

The vulnerabilities were seen exploited in the wild, as evidenced by a surge of hundreds of new admin user creations that have been observed on unpatched TeamCity servers.

Shadowserver, a nonprofit security organization that gathers and analyzes data on malicious Internet activities, recorded thousands of attempts to exploit the CVE-2024-27198 vulnerability:

Affected Versions

The vulnerabilities affect all TeamCity On-Premises versions through 2023.11.3.

How to Exploit CVE-2024-27198

The first of two relevant vulnerabilities, CVE-2024-27198 stems from the class “jetbrains.buildServer.controllers.BaseController” in the “web-openapi.jar” library, and how it handles web requests.

  • The class “BaseController” uses the method “handleRequestInternal” to service web requests.
  • If the request ends up not being redirected (HTTP 302), the method “updateViewIfRequestHasJspParameter” is called.

In the “updateViewIfRequestHasJspParameter” method, the Boolean variable “isControllerRequestWithViewName” checks two conditions: 

  1. If “modelAndView” has a name and the second, 
  2. If the servlet path of the request doesn’t end in “.jsp”

Then the “getJspFromRequest” method is called and its output is transferred to the method “ModelAndView.setViewName”.

Reviewing the “getJspFromRequest” method details we can see that it pulls the HTTP parameter “jsp” from the web request. The parameter is tested to verify that it ends with “.jsp” and does not contain the path “admin/”.

Given this information, an attacker can manipulate their web request to access arbitrary endpoints without authentication if they fulfill all of the following conditions:

  • Requesting an unauthenticated and non-existing resource. For example: “/hax”.
    • This will trigger a response from the server that generates a servlet path of “/404.html”, which is both not a redirect response, and does not end in “.jsp”.
  • Setting the value of the “jsp” parameter in the request as the authenticated resource the attacker wishes to access.
    • This can be done by appending an HTTP query string, such as “?jsp=/app/rest/server”
  • Ensuring that the path requested ends with “.jsp”.
    • This can be done by appending “;.jsp” to the request.

Exploiting this vulnerability bypasses authentication, granting an attacker full access to the server by performing one of the following actions:

  1. The attacker can manipulate the “/app/rest/users” endpoint to remotely create a new admin account on the server:
  2. The attacker could also generate a new administrator access token:

How to exploit CVE-2024-27199

The second vulnerability, CVE-2024-27199, is an authentication bypass vulnerability that utilizes Path Traversals. Several paths in the TeamCity server were found to be vulnerable to path traversals, including:

  • /res/
  • /update/
  • /.well-known/acme-challenge/

Using these paths, an attacker can bypass authentication to access a limited number of resources that leak information and, in some cases, even allow the modification of settings. For example, normally the resource “/admin/diagnostic.jsp” does not allow unauthenticated access:

However, when leveraging the path traversal vulnerability and using the path “/res/../admin/diagnostic.jsp”, access is granted:

This vulnerability can also be exploited by an attacker to cause a denial-of-service on the server by targeting the endpoint “/app/https/settings/uploadCertificate”. An attacker can use this endpoint to upload their certificate on the server and change its listening port.

To achieve this, a POST request to the path “/res/../app/https/settings/uploadCertificate” with the created certificate can be made:

A look within the server’s settings shows that the changes were indeed made:

How Can We Mitigate This?

Update TeamCity to the latest version (2023.11.4) by using the automatic update option in the TeamCity server or, alternatively, by manually downloading the new version via the JetBrains website.

For customers who cannot upgrade the server, JetBrains offers a security patch plugin that will patch the vulnerabilities on all TeamCity versions:

Conclusion

For further guidance to safeguarding your SME, watchSecuring the Top 3 SME Attack Vectors.” And make sure your team is empowered by an affordable, easy to use solution, such as Cynet’s All-in-One Cybersecurity Solution, which is purpose-built for small teams. After all, the future of your organization is too important to gamble.