CVE-2024-27198

Hello everyone today we have something different today we going to make POC of the CVE-2024-27198 vulnerability affecting JetBrains TeamCity versions prior to 2023.11.4. What make me think of creating this exploit was a Try Hack Me machine. called Brains.https://medium.com/@jfjbn4/tryhackme-brains-writeup-987dbdfcd963

i uses an exploit there and i thought why do not i make it myself and here i did it.

---

Git.

All of the code is exist within my git repo.

GitHub - Cythonic1/CVE-2024-27198_POC: a proof of concept of the CVE-2024-27198 which infect jetbrains teamCityGitHub

What is CVE-2024-27198.

the CVE-2024-27198 is a authentication bypass vulnerability which able unauthenticated attacker to access authenticated endpoints.

CVE-2024-27198 explained (TeamCity Auth Bypass)Hack The Box

CVE-2024-27198 and CVE-2024-27199: JetBrains TeamCity Multiple Authentication Bypass Vulnerabilities (FIXED) | Rapid7 BlogRapid7 Blog

Hack The Box and Rapid 7 explain the vulnerability better than my so here we just going to go through the code and explain it.

The 3 Rules.

To exploit this vulnerability 3 rules must be satisfied.

1. We fist need to generate Request the return 404. Simple access unexistence end point.

2. We need to add jsp as url prameter and assigne the authenticated endpoint as it's value.

3. We need to end it with ;.jsp. the ; mean sperate from the rest .jsp to make it look as jsp request.

using such url on vuln version will allow you to access secure endpoints.

{ip_address}/sdkjhdfajghsjdhf?jsp=/app/rest/server;.jsp

1. /sdkjhdfajghsjdhf. non existance page.

2. jsp=/app/rest/server the page we want to access within the jsp parameter.

3. ;.jsp end with ;.jsp.

The Exploit.

Check if the exploit exist.

First we take the Url of the target system as command line argument.

Then we check if the target system is vulnerable or not.

This is_vuln function is so simple it returns boolean value.

Generate username and password and create user.

So here we generate random username and password and create a new user with administrator access.

and this is a create_new_user functionj which take random generated username and password and send it as json request.

generate token.

So as you can see we call function get_token and this function will return either a token or nothing or error. and a best world it will return a valid token so that we can upload our exploit.

This is the get token function it will fetch the token for the id user 1 which usually is the admin.

Upload payload and execute commands.

To to these we need to make sure that we have a valid token thats why if the generation of the token failed we can not compelete the exploit.

This is the upload evil plugin function i give the credits to this beast.

GitHub - W01fh4cker/CVE-2024-27198-RCE: CVE-2024-27198 & CVE-2024-27199 Authentication Bypass --> RCE in JetBrains TeamCity Pre-2023.11.4GitHub

This zip file contain these to files.

So for myPlugin.jsp we use jsp which is a java code that can run on the web. and the xml file is just to know details about the plugin. and we just send the file as parts.

enable the plugin.

So after uploading the plugin we just need to enable it.

Execute commands.

After upload and enable the plugin we can execute commands.

As you can see we can access our plugin url and execute commands.

Running the code.

As you can see we able to execute out command which is whoami. and since am running this in docker so its a root user.

And here from the web we can execute commands from get prameter.

Conclusion.

in the end what actully make me try to make this exploit is first that i love to create exploit specilly in Rust and i want to see how a big product such jetBrains could have such weak vulnerability.

Finally i would like to credite.

GitHub - W01fh4cker/CVE-2024-27198-RCE: CVE-2024-27198 & CVE-2024-27199 Authentication Bypass --> RCE in JetBrains TeamCity Pre-2023.11.4GitHub

i learned from him to get the docker container and the java exploit he is a master.