typo and clarify description
This commit is contained in:
parent
aac4ef09cc
commit
b925f798e5
|
@ -3,7 +3,10 @@ This module exploits an authentication bypass vulnerability in JetBrains TeamCit
|
|||
attacker can leverage this to access the REST API and create a new administrator access token. This token
|
||||
can be used to upload a plugin which contains a Metasploit payload, allowing the attacker to achieve
|
||||
unauthenticated RCE on the target TeamCity server. On older versions of TeamCity, access tokens do not exist
|
||||
so the exploit will instead create a new administrator account before uploading a plugin.
|
||||
so the exploit will instead create a new administrator account before uploading a plugin. Older version of
|
||||
Team city have a debug endpoint (/app/rest/debug/process) that allows for arbitrary commands to be executed,
|
||||
however recent version of TeamCity no longer ship this endpoint, hence why a plugin is leveraged for code
|
||||
execution instead, as this is supported on all versions tested.
|
||||
|
||||
For a technical analysis of the vulnerability, read our [Rapid7 Analysis](https://attackerkb.com/topics/K3wddwP3IJ/cve-2024-27198/rapid7-analysis).
|
||||
|
||||
|
|
|
@ -20,7 +20,10 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
attacker can leverage this to access the REST API and create a new administrator access token. This token
|
||||
can be used to upload a plugin which contains a Metasploit payload, allowing the attacker to achieve
|
||||
unauthenticated RCE on the target TeamCity server. On older versions of TeamCity, access tokens do not exist
|
||||
so the exploit will instead create a new administrator account before uploading a plugin.
|
||||
so the exploit will instead create a new administrator account before uploading a plugin. Older version of
|
||||
Team city have a debug endpoint (/app/rest/debug/process) that allows for arbitrary commands to be executed,
|
||||
however recent version of TeamCity no longer ship this endpoint, hence why a plugin is leveraged for code
|
||||
execution instead, as this is supported on all versions tested.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
|
@ -299,7 +302,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
# NOTE: We place bootstrap_ognl in a separate bean, as it this generates an exception the plugin will fail
|
||||
# to load correctly, which prevents the exploit from deleting the plugin later. We choose java.beans.Encoder
|
||||
# as the setExceptionListener method will accept the null value the bootstrap_ognl will generate. If we
|
||||
# choose a property that does no exist, we generate a several of exceptions in the teamcity-server.log.
|
||||
# choose a property that does not exist, we generate several exceptions in the teamcity-server.log.
|
||||
|
||||
zip_resources.add_file(
|
||||
"META-INF/build-server-plugin-#{plugin_name}.xml",
|
||||
|
|
Loading…
Reference in New Issue