typo and clarify description

2024-03-05 14:39:17 +00:00 · 2024-03-05 14:39:17 +00:00 · b925f798e5
parent aac4ef09cc
commit b925f798e5
2 changed files with 9 additions and 3 deletions
--- a/documentation/modules/exploit/multi/http/jetbrains_teamcity_rce_cve_2024_27198.md
+++ b/documentation/modules/exploit/multi/http/jetbrains_teamcity_rce_cve_2024_27198.md
@ -3,7 +3,10 @@ This module exploits an authentication bypass vulnerability in JetBrains TeamCit
 attacker can leverage this to access the REST API and create a new administrator access token. This token
 can be used to upload a plugin which contains a Metasploit payload, allowing the attacker to achieve
 unauthenticated RCE on the target TeamCity server. On older versions of TeamCity, access tokens do not exist
-so the exploit will instead create a new administrator account before uploading a plugin.
+so the exploit will instead create a new administrator account before uploading a plugin. Older version of
+Team city have a debug endpoint (/app/rest/debug/process) that allows for arbitrary commands to be executed,
+however recent version of TeamCity no longer ship this endpoint, hence why a plugin is leveraged for code
+execution instead, as this is supported on all versions tested.

 For a technical analysis of the vulnerability, read our [Rapid7 Analysis](https://attackerkb.com/topics/K3wddwP3IJ/cve-2024-27198/rapid7-analysis).

--- a/modules/exploits/multi/http/jetbrains_teamcity_rce_cve_2024_27198.rb
+++ b/modules/exploits/multi/http/jetbrains_teamcity_rce_cve_2024_27198.rb
@ -20,7 +20,10 @@ class MetasploitModule < Msf::Exploit::Remote
          attacker can leverage this to access the REST API and create a new administrator access token. This token
          can be used to upload a plugin which contains a Metasploit payload, allowing the attacker to achieve
          unauthenticated RCE on the target TeamCity server. On older versions of TeamCity, access tokens do not exist
-          so the exploit will instead create a new administrator account before uploading a plugin.
+          so the exploit will instead create a new administrator account before uploading a plugin. Older version of
+          Team city have a debug endpoint (/app/rest/debug/process) that allows for arbitrary commands to be executed,
+          however recent version of TeamCity no longer ship this endpoint, hence why a plugin is leveraged for code
+          execution instead, as this is supported on all versions tested.
        },
        'License' => MSF_LICENSE,
        'Author' => [
@ -299,7 +302,7 @@ class MetasploitModule < Msf::Exploit::Remote
          # NOTE: We place bootstrap_ognl in a separate bean, as it this generates an exception the plugin will fail
          # to load correctly, which prevents the exploit from deleting the plugin later. We choose java.beans.Encoder
          # as the setExceptionListener method will accept the null value the bootstrap_ognl will generate. If we
-          # choose a property that does no exist, we generate a several of exceptions in the teamcity-server.log.
+          # choose a property that does not exist, we generate several exceptions in the teamcity-server.log.

          zip_resources.add_file(
            "META-INF/build-server-plugin-#{plugin_name}.xml",