Keypoints
- CVE-2024-27198 is a critical (CVSS 9.8) authentication bypass via an alternative path in TeamCity’s web component that can allow unauthenticated RCE and full server compromise.
- CVE-2024-27199 is a path traversal-based authentication bypass (CVSS 7.3) permitting limited information disclosure and system modification, including uploading attacker-supplied HTTPS certificates.
- CVE-2024-27198 exploitation hinges on BaseController.updateViewIfRequestHasJspParameter and getJspFromRequest, allowing an attacker to set the DispatcherServlet target via a ?jsp= parameter and a crafted path ending in .jsp.
- Successful exploitation examples include creating administrator users (/app/rest/users), generating admin access tokens, uploading malicious plugins for RCE, and changing HTTPS certificates/ports via /app/https/settings/uploadCertificate.
- TeamCity 2023.11.4 patches both vulnerabilities; Rapid7 urges immediate upgrades and provides log-based IOCs and detection guidance for customers.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Exploited TeamCity’s web interface to bypass authentication by crafting URLs and parameters to reach authenticated endpoints; (‘An attacker can craft a URL such that all authentication checks are avoided, allowing endpoints that are intended to be authenticated to be accessed directly by an unauthenticated attacker.’).
- [T1136] Create Account – Attacker-created administrator accounts via the REST API to obtain persistent admin access; (‘an unauthenticated attacker can create a new administrator user with a password the attacker controls, by targeting the /app/rest/users REST API endpoint:’).
- [T1550] Use Alternate Authentication Material – Attacker-generated administrator access tokens (API tokens) to authenticate post-exploitation; (‘an unauthenticated attacker can generate a new administrator access token with the following request:’).
Indicators of Compromise
- [IP Address] example target/test hosts seen in examples – 172.29.228.65, 192.168.86.68.
- [HTTP request pattern] rewritten URI log artifacts – requests containing ‘;*.jsp’ and ‘jsp=’ query parameter (e.g., ‘/hax?jsp=/app/rest/server;.jsp’, or logged rewritten URI containing ‘;.jsp?jsp=’).
- [Access token / token name] attacker-created tokens and names – example token value ‘eyJ0eXAiOiAiVENWMiJ9.RzR2cHVj…’ and token name ‘2vrflIqo’.
- [Plugin name / folder] malicious plugin artifacts and names – example plugin ‘WYyVNA6r’ and folders like ‘TC_147512_WYyVNA6r’ (and related unpacked plugin cache entries).
- [File paths / logs] TeamCity file and log locations – C:TeamCitylogs (Windows) and /opt/TeamCity/logs/ (Linux); specific log examples: teamcity-javaLogging-2024-02-26.log, teamcity-server.log, teamcity-activities.log.
To exploit CVE-2024-27198 an attacker abuses TeamCity’s BaseController logic: when a request results in a controller ModelAndView with a view name and the servlet path does not end in .jsp, BaseController.updateViewIfRequestHasJspParameter calls getJspFromRequest and may set ModelAndView.setViewName() to the supplied jsp parameter. By requesting a non-existent resource (e.g., /hax) that yields a 404 servlet path and appending a query parameter named jsp with the target authenticated endpoint plus a path segment ending in .jsp (for example: /hax?jsp=/app/rest/server;.jsp), the dispatcher is coerced to handle the authenticated endpoint without authentication. Rapid7 demonstrates calling endpoints (e.g., /app/rest/server), creating admin users (/app/rest/users), and generating admin access tokens via this mechanism.
CVE-2024-27199 leverages path traversal in specific public paths (e.g., /res/, /update/, /.well-known/acme-challenge/) to traverse to protected JSP and servlet endpoints using ‘..’ segments. Examples include reaching /res/../admin/diagnostic.jsp to disclose diagnostic/server info and using /res/../app/https/settings/uploadCertificate to POST an attacker-supplied certificate and key, changing TLS configuration and port. The report shows attacker-generated certificates (openssl examples) and POST multipart/form-data uploads that return HTTP 200 and alter server HTTPS settings, enabling denial-of-service or man-in-the-middle scenarios if clients trust the uploaded cert.
Detection and remediation guidance focuses on log signatures and artifact locations: look for rewritten logged URIs containing ‘;*.jsp’ and ‘jsp=’ in teamcity-javaLogging, audit entries for token creation/deletion and plugin upload/delete in teamcity-activities.log and teamcity-server.log, and filesystem artifacts for plugin names (e.g., WYyVNA6r) and disabled-plugins.xml entries. Rapid7 recommends immediate upgrade to TeamCity 2023.11.4 (patches both CVEs) and monitoring the listed logs and paths for the IOC patterns described above.