Share
## https://sploitus.com/exploit?id=F9BCBF97-222B-5277-983B-EE47DF079EB7
# Research: TeamCity Authentication Bypass (CVE-2024-27198) Simulation

![Security Research](https://img.shields.io/badge/Research-Security-red) ![TeamCity](https://img.shields.io/badge/TeamCity-CI/CD-blue) ![CVE](https://img.shields.io/badge/CVE--2024--27198-Critical-orange)

## ํ”„๋กœ์ ํŠธ ์†Œ๊ฐœ (Project Overview)

๋ณธ ํ”„๋กœ์ ํŠธ๋Š” **JetBrains TeamCity**์—์„œ ๋ฐœ๊ฒฌ๋œ ์‹ฌ๊ฐํ•œ ์ธ์ฆ ์šฐํšŒ ์ทจ์•ฝ์ ์ธ **CVE-2024-27198**์„ ์—ฐ๊ตฌํ•˜๊ณ  ์‹œ์—ฐํ•˜๊ธฐ ์œ„ํ•ด ๊ตฌ์ถ•๋œ **์—ฐ๊ตฌ์šฉ PoC(Proof of Concept) ํ™˜๊ฒฝ**์ž…๋‹ˆ๋‹ค.

์ด ์ทจ์•ฝ์ ์€ TeamCity ์„œ๋ฒ„์˜ ์›น ๊ตฌ์„ฑ ์š”์†Œ์—์„œ ๋ฐœ์ƒํ•˜๋Š” ๋กœ์ง ์˜ค๋ฅ˜๋ฅผ ์ด์šฉํ•˜์—ฌ, ๊ณต๊ฒฉ์ž๊ฐ€ ์ธ์ฆ ์—†์ด ๊ด€๋ฆฌ์ž ๊ธฐ๋Šฅ์„ ์ˆ˜ํ–‰ํ•˜๋Š” REST API ์—”๋“œํฌ์ธํŠธ์— ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ๊ฒŒ ํ•ฉ๋‹ˆ๋‹ค. ๋ณธ ํ™˜๊ฒฝ์—์„œ๋Š” ์‹ค์ œ ์ทจ์•ฝํ•œ ๋ฒ„์ „์˜ TeamCity ์„œ๋ฒ„๋ฅผ Docker ์‹œ์Šคํ…œ์œผ๋กœ ๊ตฌ์ถ•ํ•˜์—ฌ, **์ธ์ฆ ์šฐํšŒ**๋ถ€ํ„ฐ **๊ด€๋ฆฌ์ž ๊ณ„์ • ํƒˆ์ทจ**, ๊ทธ๋ฆฌ๊ณ  **์•…์„ฑ ํ”Œ๋Ÿฌ๊ทธ์ธ์„ ํ†ตํ•œ RCE(์›๊ฒฉ ์ฝ”๋“œ ์‹คํ–‰)**๊นŒ์ง€์˜ ์ „์ฒด ๊ณต๊ฒฉ ์ฒด์ธ์„ ์‹œ๋ฎฌ๋ ˆ์ด์…˜ํ•ฉ๋‹ˆ๋‹ค.

### ์—ฐ๊ตฌ ๋ชฉํ‘œ
1. **Authentication Bypass** ์ทจ์•ฝ์ ์˜ ๊ทผ๋ณธ ์›์ธ(Path Traversal/Logic Error) ๋ถ„์„
2. REST API๋ฅผ ํ†ตํ•œ ๊ถŒํ•œ ์ƒ์Šน(Privilege Escalation) ๊ณผ์ • ์ดํ•ด
3. CI/CD ์„œ๋ฒ„ ์žฅ์•…์ด ๊ณต๊ธ‰๋ง ๊ณต๊ฒฉ(Supply Chain Attack)์— ๋ฏธ์น˜๋Š” ์˜ํ–ฅ ๋ถ„์„

---

## ๊ธฐ์ˆ  ์Šคํƒ (Tech Stack)

| ๊ตฌ๋ถ„ | ์Šคํƒ | ๋ฒ„์ „ | ๋น„๊ณ  |
| :--- | :--- | :--- | :--- |
| **Application** | TeamCity Server | `2023.11.3` | **Vulnerable Version** |
| **Database** | HSQLDB | (Internal) | Data Storage |
| **Infrastructure** | Docker / Compose | - | Container Environment |
| **Exploit** | REST API / JSP | - | **Attack Vector** |

---

## ์ทจ์•ฝ์  ๋ถ„์„ ๋ณด๊ณ ์„œ (Vulnerability Report)

๋ณธ ํ”„๋กœ์ ํŠธ์—์„œ ๋ถ„์„ํ•œ ํ•ต์‹ฌ ์ทจ์•ฝ์ ์€ ๋‹ค์Œ๊ณผ ๊ฐ™์Šต๋‹ˆ๋‹ค.

### 1. Authentication Bypass via URL Manipulation
*   **CVE-2024-27198**
*   **์„ค๋ช…**: ํŠน์ • URL ํŒจํ„ด(์˜ˆ: `/hax?jsp=/app/rest/users;.jsp`)์„ ์‚ฌ์šฉํ•˜์—ฌ ์ธ์ฆ ํ•„ํ„ฐ๋ฅผ ์šฐํšŒํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋Š” ์„œ๋ฒ„๊ฐ€ ์š”์ฒญ ๊ฒฝ๋กœ๋ฅผ ์ฒ˜๋ฆฌํ•  ๋•Œ ์‚ฌ์šฉํ•˜๋Š” ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ์™€ TeamCity ๋‚ด๋ถ€ ๋กœ์ง ์‚ฌ์ด์˜ ๋ถˆ์ผ์น˜๋กœ ์ธํ•ด ๋ฐœ์ƒํ•ฉ๋‹ˆ๋‹ค.
*   **์œ„ํ—˜๋„**: **Critical (Full System Access)**

### 2. RCE via Malicious Plugin Upload
*   **Methodology**
*   **์„ค๋ช…**: ํš๋“ํ•œ ๊ด€๋ฆฌ์ž ๊ถŒํ•œ์„ ์ด์šฉํ•˜์—ฌ ์•…์„ฑ JSP ์ฝ”๋“œ๊ฐ€ ํฌํ•จ๋œ ํ”Œ๋Ÿฌ๊ทธ์ธ์„ ์—…๋กœ๋“œํ•ฉ๋‹ˆ๋‹ค. TeamCity๋Š” ํ”Œ๋Ÿฌ๊ทธ์ธ์„ ๋กœ๋“œํ•  ๋•Œ ํฌํ•จ๋œ ๋ฆฌ์†Œ์Šค๋ฅผ ์›น ๊ฒฝ๋กœ์— ๋…ธ์ถœ์‹œํ‚ค๋ฏ€๋กœ, ์ด๋ฅผ ํ†ตํ•ด ์›น์‰˜(WebShell) ์‹คํ–‰์ด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.
*   **Payload ์˜ˆ์‹œ**: `curl -X POST -u "attacker:pass" -F "file=@malicious-plugin.zip" ...`

---

## ์‹คํ–‰ ๋ฐ ๊ฒ€์ฆ (How to Reproduce)

์—ฐ๊ตฌ ๋ฐ ๊ฒ€์ฆ์„ ์œ„ํ•ด ๊ฒฉ๋ฆฌ๋œ ๋กœ์ปฌ ํ™˜๊ฒฝ์—์„œ ์‹คํ–‰ํ•˜๋Š” ๊ฒƒ์„ ๊ถŒ์žฅํ•ฉ๋‹ˆ๋‹ค.

```bash
# 1. TeamCity ์„œ๋ฒ„ ์‹คํ–‰
docker-compose up -d
```

1.  **Exploit Steps**:
    *   **Step 1**: `/hax?jsp=/app/rest/users;.jsp` ๊ฒฝ๋กœ๋ฅผ ํ†ตํ•ด ๊ด€๋ฆฌ์ž ๊ณ„์ • ์ƒ์„ฑ (Auth Bypass).
    *   **Step 2**: ์ƒ์„ฑ๋œ ๊ณ„์ •์œผ๋กœ ๋กœ๊ทธ์ธ ํ›„ ์•…์„ฑ ํ”Œ๋Ÿฌ๊ทธ์ธ ์—…๋กœ๋“œ.
    *   **Step 3**: `/plugins/MaliciousWebShell/shell.jsp?cmd=id` ์ ‘์† (RCE ์„ฑ๊ณต).

์ž์„ธํ•œ ์ˆœ์„œ์™€ ์Šคํฌ๋ฆฐ์ƒท์€ [TESTING.md](TESTING.md) ํŒŒ์ผ์„ ์ฐธ์กฐํ•˜์‹ญ์‹œ์˜ค.

---

## ๋Œ€์‘ ๋ฐฉ์•ˆ (Mitigation)

*   **์ฆ‰์‹œ ์—…๋ฐ์ดํŠธ**: JetBrains์—์„œ ์ œ๊ณตํ•˜๋Š” ๋ณด์•ˆ ํŒจ์น˜๊ฐ€ ์ ์šฉ๋œ ๋ฒ„์ „(`2023.11.4` ์ด์ƒ)์œผ๋กœ ์ฆ‰์‹œ ์—…๋ฐ์ดํŠธํ•ฉ๋‹ˆ๋‹ค.
*   **๋„คํŠธ์›Œํฌ ๊ฒฉ๋ฆฌ**: ๊ด€๋ฆฌ์ž ์ธํ„ฐํŽ˜์ด์Šค๋ฅผ ๊ณต์šฉ ์ธํ„ฐ๋„ท์— ๋…ธ์ถœํ•˜์ง€ ์•Š๊ณ , VPN์ด๋‚˜ ์‹ ๋ขฐํ•  ์ˆ˜ ์žˆ๋Š” IP ๋Œ€์—ญ์œผ๋กœ ์ œํ•œํ•ฉ๋‹ˆ๋‹ค.
*   **์ •๊ธฐ์  ๊ฐ์‚ฌ**: ์ธ๊ฐ€๋˜์ง€ ์•Š์€ ๊ด€๋ฆฌ์ž ๊ณ„์ • ์ƒ์„ฑ์ด๋‚˜ ํ”Œ๋Ÿฌ๊ทธ์ธ ์„ค์น˜ ์—ฌ๋ถ€๋ฅผ ์ฃผ๊ธฐ์ ์œผ๋กœ ๋ชจ๋‹ˆํ„ฐ๋งํ•ฉ๋‹ˆ๋‹ค.

---