Investigating CVE-2024-27198 Attacks Against JetBrains TeamCity Application

Overview of CVEs Targeting TeamCity

Over the last several months, numerous CVEs were released targeting JetBrains' TeamCity CI/CD Servers. CI/CD (Continuous Integration and Continuous Delivery/Deployment) relates to modern application development and is used by companies to maintain the continuous cycle of software development.

• The vulnerability affects all TeamCity On-Premises versions from 2017.1 through 2023.11.2.

• CVE-2024-27198: Authentication bypass vulnerability allowing remote unauthenticated Threat Actors to execute arbitrary code and take complete control of affected instances.

• CVE-2024-23917: Enables an unauthenticated Threat Actors with HTTP(S) access to bypass authentication checks and gain administrative control of the server.

• CVE-2024-27199: Path traversal issue that lets someone to skip past login checks, potentially enabling limited admin actions to be performed.

• CVE-2023-42793: allows unauthenticated Threat Actors to bypass authentication and perform remote code execution, potentially leading to a supply chain attack.

As highlighted above, these allow unauthenticated attacks and even have their own Metasploit module. At this point exploitation is trivial and any TeamCity instanced exposed to the public is an easy target.

Impact on JetBrains TeamCity and Its Users

While RCE is a heavy impact already, the fact that a CI/CD Application has been exploited this way causes even more concern. A compromise of these kinds of servers would give Threat Actors access to source code, signing certificates, and software deployment processes. This has historically been a target of Nation State actors such as APT 29/Cozy Bear/Midnight Blizzard in regards to CVE-2023-42793. CISA's Cybersecurity Advisory (CSA) AA23-347A. For unpatched versions, there remains active exploits and POCs available which make targeting any exposed instances trivial.

Investigating Exploitation Involving CVE-2024-27198

General application logging artifacts can be located on JetBrains' documentation.

Logs can be located from the UI Panel: Administration (Top Left) -> Diagnostics (Subset of "Server Administration") -> Server Logs

Or in their default filesystem location (may be changed by administrator)

Windows: C:TeamCityLogs
Linux: /opt/TeamCity/logs/

The most significant logs are:

%LogLocation%teamcity-javaLogging-YEAR-MM-DD.txt

%LogLocation%teamcity-server.txt
%LogLocation%teamcity-activities.txt

Rapid7's technical post breaks down the activity more in depth but a more high-level overview shows that we are looking for an Access Token creation, malicious plugin with JAR file creation, and an Administrator account creation.

Access Token Creation

teamcity-javaLogging-YEAR-MM-DD.txt

19-Jun-2024 22:13:50.995 WARNING [http-nio-8111-exec-7] com.sun.jersey.spi.container.servlet.WebComponent.filterFormParameters A servlet request, to the URI http://<TEAMCITY_IPADDRESS>:8111/app/rest/users/id:1/tokens/4F2W7r4O;25DN3V.jsp?jsp=/app/rest/users/id%3a1/tokens/4F2W7r4O%3b25DN3V.jsp&maGLYAm4=bIjBj0h9sg&l5or=F&WD7mA=jR&U=SRT0W43, contains form parameters in the request body but the request body has been consumed by the servlet or a servlet filter accessing the request parameters. Only resource methods using @FormParam will work as expected. Resource methods consuming the request body by other means will not work as expected.

Here, the token "4F2W7r4O" is created by the Threat Actor by sending the above crafted API request which then allows the TA to gain control.

Malicious Plugin Upload

teamcity-server.txt

[2024-06-19 22:13:53,528] INFO - lugins.impl.PluginUploaderImpl - New plugin at path 'C:ProgramDataJetBrainsTeamCitypluginsQNhTKymW.zip' (modified:

2024-06-19 22:13:53.517, size: 6.27 KB) was uploaded. The plugin will become available after TeamCity server restart or could be loaded by administrator from UI.

[2024-06-19 22:13:53,530] INFO - s.buildServer.ACTIVITIES.AUDIT - plugin_uploaded: Plugin "QNhTKymW" was updated by "user with id=1" with comment "Plugin was uploaded to C:ProgramDataJetBrainsTeamCitypluginsQNhTKymW.zip"

[2024-06-19 22:13:53,937] INFO - rver.plugins.PluginsCollection - Load shared classloader for 0 plugins [] [2024-06-19 22:13:53,938] INFO - rver.plugins.PluginsCollection - Load standalone classloaders for 1 plugins [QNhTKymW]

[2024-06-19 22:13:54,067] INFO - rver.plugins.PluginManagerImpl - Plugins initialization completed (1 plugins loaded): [QNhTKymW (ver:5.0.8)] [2024-06-19 22:13:54,076] INFO - jetbrains.buildServer.CLEANUP - Cleanup start time has been set to 3:00 daily

[2024-06-19 22:13:54,077] INFO - jetbrains.buildServer.CLEANUP - The next cleanup time is 2024-06-20 03:00:00.000 [2024-06-19 22:13:56,768] INFO - ribution.BuildDistributorProxy - Default build distributor will be used

[2024-06-19 22:13:57,089] INFO - s.buildServer.ACTIVITIES.AUDIT - plugin_disable: Plugin "QNhTKymW" was disabled by "user with id=1"

[2024-06-19 22:13:58,454] INFO - s.buildServer.ACTIVITIES.AUDIT - plugin_deleted: Plugin "QNhTKymW" was deleted by "user with id=1" with comment "Plugin was deleted from C:ProgramDataJetBrainsTeamCitypluginsQNhTKymW.zip"

[2024-06-19 22:13:58,477] INFO - s.buildServer.ACTIVITIES.AUDIT - delete_token_for_user: Deleted token "4F2W7r4O" for user "user with id=1" by "user with id=1"

Here we have the lifecyle of the malicious plugin, "QNhTKymW". While the randomly named plugin is the default of the Metasploit module, you should check additional instances of plugins being created within TeamCity.

teamcity-activities.txt

[2024-06-19 22:13:53,530] INFO - s.buildServer.ACTIVITIES.AUDIT - plugin_uploaded: Plugin "QNhTKymW" was updated by "user with id=1" with comment "Plugin was uploaded to C:ProgramDataJetBrainsTeamCitypluginsQNhTKymW.zip"

[2024-06-19 22:13:57,089] INFO - s.buildServer.ACTIVITIES.AUDIT - plugin_disable: Plugin "QNhTKymW" was disabled by "user with id=1"

[2024-06-19 22:13:58,454] INFO - s.buildServer.ACTIVITIES.AUDIT - plugin_deleted: Plugin "QNhTKymW" was deleted by "user with id=1" with comment "Plugin was deleted from C:ProgramDataJetBrainsTeamCitypluginsQNhTKymW.zip"

[2024-06-19 22:13:58,477] INFO - s.buildServer.ACTIVITIES.AUDIT - delete_token_for_user: Deleted token "4F2W7r4O" for user "user with id=1" by "user with id=1"

Another log file that carries the creation and deletion of the malicious plugin which we can corroborate with. Investigation should also be done for:

C:ProgramDataJetBrainsTeamCitysystemcachesplugins.unpacked<PluginName>server<FileName>.jar
C:TeamCitywebappsROOTplugins<PluginName>

Administrator Account Creation

teamcity-server.txt

[2024-06-19 22:36:16,091] INFO - tbrains.buildServer.ACTIVITIES - New user created: user with id=2

[2024-06-19 22:36:16,092] INFO - s.buildServer.ACTIVITIES.AUDIT - user_create: User "user with id=2" was created by "user with id=2"

Finally, investigate user account creations within TeamCity for any abnormal activity.

Conclusion

While TeamCity application logs can be helpful here in establishing abnormal activity, post-exploitation may be one of your first indicators of malicious activity. As stated in CISA's CSA, adversaries tend to move to reconnaissance using normal Windows binaries to query the system. From there, they can move to File Exfiltration with interest in Visual Studios and SQL-related files and attempt to escalate privileges or establish persistence.

If running TeamCity version lower than 2023.11.2, it is highly recommended to update to the latest version of TeamCity.