CVE-2024-27198 - Authentication Bypass Vulnerability in JetBrains TeamCity before 2023.11.4 Allowing Unauthorized Admin Actions

A highly critical security vulnerability, CVE-2024-27198, was recently discovered in JetBrains TeamCity, a popular web-based software for managing software development projects. This vulnerability allows an attacker to bypass the authentication mechanism and perform administrative actions without proper authorization. In this post, we will discuss the details of this exploit and provide some code snippets that demonstrate the vulnerability in vulnerable versions of JetBrains TeamCity before 2023.11.4.

Exploit Details

The exploit exists due to a flaw in the way JetBrains TeamCity handles authentication and session management. In certain scenarios, a non-authenticated user can access protected resources and gain administrative privileges, which can lead to unauthorized control over the affected application.

The exploit involves manipulating the session token and leveraging a weakness in the underlying authentication framework. By altering the token's content and format, an attacker can bypass the authentication process and gain full access to administrative features.

To demonstrate the exploit, let's assume a scenario where an attacker successfully discovers a valid session token through social engineering or by intercepting the token as it's transmitted over an insecure connection. Here's a sample HTTP request that can be used to retrieve protected resources, such as a list of all projects:

GET /httpAuth/app/rest/projects HTTP/1.1
Host: vulnerable.teamcity.instance.com
Authorization: Bearer {compromised_session_token}

In an unpatched version of JetBrains TeamCity, the attacker can make use of this session token and bypass authentication. Now, let's take a look at an example where an attacker further manipulates the session token to gain administrative access:

POST /httpAuth/app/rest/userGroups/administrators/users HTTP/1.1
Host: vulnerable.teamcity.instance.com
Authorization: Bearer {manipulated_session_token}
Content-Type: application/xml

<user locator="username:attacker"/>

This request adds the "attacker" user to the administrative group, granting them full access to the TeamCity environment.

Affected Versions

The vulnerability affects JetBrains TeamCity installations before version 2023.11.4. If you're using an earlier version of TeamCity, it's crucial to update your software immediately to safeguard against this exploit.

Mitigation Steps

JetBrains has already released a security patch that addresses this vulnerability in their latest version, TeamCity 2023.11.4. Users of affected versions should update their installations as soon as possible to mitigate the risk of exploitation.

Original References

For more information about this vulnerability and its fix, please see the official JetBrains security advisory at:

- CVE-2024-27198: JetBrains Security Advisory
- JetBrains TeamCity: Authentication Bypass Vulnerability

Conclusion

CVE-2024-27198 is a highly critical vulnerability that could lead to significant security breaches in organizations using JetBrains TeamCity. This vulnerability highlights the importance of keeping software up to date and following secure development practices. Make sure your TeamCity installation is updated to the latest version (2023.11.4 or newer) and follow the security best practices outlined above to protect your environment from potential exploits.

Timeline

Published on: 03/04/2024 18:15:09 UTC
Last modified on: 03/11/2024 15:15:47 UTC