Exploit for Server-Side Request Forgery in Jetbrains Teamcity CVE-2020-35667

## https://sploitus.com/exploit?id=DCC8F833-AFE2-5D73-BF99-D3D8C6F3EB5A
## TeamCity IntelliJ IDEA Plugin credential interception (CVE-2020-35667)

### Description
  
This is a reproduction of **CVE-2020-35667** by building a fake XML-RPC TeamCity endpoint.  
CVE-2020-35667 is a **SSRF vulnerability** in the JetBrains TeamCity Plugin for IntelliJ IDE.  
The old TeamCity IntelliJ plugin requests a public key from the server, encrypts the password with it, and sends it back.  
Since the server is attacker-controlled, the attacker decrypts and logs the plaintext credentials.
  
The vulnerability was reported by **Jonathan Leitschuh** (https://blog.jetbrains.com/blog/2021/02/03/jetbrains-security-bulletin-q4-2020/).  
  
 The impact of exploiting this vulnerability is the **Interception of plaintext user credentials** during plugin login process, via **attacker controlled XML-RPC** endpoint.

### Reproduction Environment
This is my setup for reproducing the issue:
- IntelliJ IDEA Community Edition 2018.1.8
  - https://www.jetbrains.com/idea/download/other.html
  
- TeamCity 2020.2.1 (build 85633)
  - https://www.jetbrains.com/help/teamcity/previous-releases-downloads.html#TeamCity+2020.2.1

- Vulnerable TeamCity IntelliJ Plugin
  - Download from the TeamCity Dashboard UI after running TeamCity
  - Plugin .zip file name: **TeamCity-IDEAplugin.zip**;  
  - SHA256 hash: 98aaaea4276f718c6c9cf3cb5383da1be6af9daa29e5b17fda8fa70d6bc1342f
- OS: Windows 10
  
- Python version: 3.12.7
  
- Python requirements are located in cve2020-35667/requirements.txt

### Quick Start
```bash
pip install -r requirements.txt
python poc_server.py
# Server listens on http://127.0.0.1:8888
```  
1. In IntelliJ, install or enable the old TeamCity plugin.
2. In IntelliJ menu: TeamCity -> Login -> Server URL: http://127.0.0.1:8888.
3. Enter a test username and password and Connect.

**Expected result (vulnerable)**: User credentials are logged in the server console.    

**Expected behavior if secure**: Client validates server identity and key authenticity, credentials are not exposed to a spoofed endpoint.

See **REPORT.md** for the full Proof of Concept report.  
See **ANALYSIS.md** for the in-depth workflow analysis.

### References
- https://www.cvedetails.com/cve/CVE-2020-35667/
- https://www.cvedetails.com/version-search.php?cpeMatchCriteriaId=3e994ed2-05fc-4b08-a580-fda3748d8e26
- https://www.cvedetails.com/version/1136868/Jetbrains-Teamcity-2020.2.1.html
- https://www.cvedetails.com/metasploit-modules/version-1136868/Jetbrains-Teamcity-2020.2.1.html
- https://vulners.com/cve/CVE-2020-35667
- https://nvd.nist.gov/vuln/detail/CVE-2020-35667
- https://cwe.mitre.org/data/definitions/918.html
- https://blog.jetbrains.com/blog/2021/02/03/jetbrains-security-bulletin-q4-2020/
- https://www.jetbrains.com/teamcity/
- https://www.youtube.com/watch?v=zqi4fDF-S60
- https://x-stream.github.io/tutorial.html