TeamCity IntelliJ IDEA Plugin Credential Interception## TeamCity IntelliJ IDEA Plugin credential interception (CVE-2020-35667)
### Quick Links
**[Proof-of-Concept Report](REPORT.md)** | **[Workflow Analysis](ANALYSIS.md)** | **[Server script](poc_server.py)**
### Description
This is a reproduction of **CVE-2020-35667** by building a fake **XML-RPC TeamCity endpoint**.
CVE-2020-35667 is a **SSRF vulnerability** in the JetBrains TeamCity Plugin for IntelliJ IDE.
The old TeamCity IntelliJ plugin requests a public key from the server, encrypts the password with it, and sends it back.
Since the server is attacker-controlled, the attacker decrypts and logs the plaintext credentials.
The vulnerability was reported by **Jonathan Leitschuh** (https://blog.jetbrains.com/blog/2021/02/03/jetbrains-security-bulletin-q4-2020/).
The impact of exploiting this vulnerability is the **Interception of plaintext user credentials** during plugin login process, via **attacker controlled XML-RPC** endpoint.
### Reproduction Environment
This is my setup for reproducing the issue:
- IntelliJ IDEA Community Edition 2018.1.8
- https://www.jetbrains.com/idea/download/other.html
- TeamCity 2020.2.1 (build 85633)
- https://www.jetbrains.com/help/teamcity/previous-releases-downloads.html#TeamCity+2020.2.1
- Vulnerable TeamCity IntelliJ Plugin
- Download using the TeamCity Dashboard UI after running TeamCity
- Plugin .zip file name: `TeamCity-IDEAplugin.zip`;
- SHA256 hash: `98aaaea4276f718c6c9cf3cb5383da1be6af9daa29e5b17fda8fa70d6bc1342f`
- OS: Windows 10
- Python version: 3.12.7
- Python requirements are located in `cve2020-35667/requirements.txt`
### Quick Start
```bash
pip install -r requirements.txt
python poc_server.py
# Server listens on http://127.0.0.1:8888
```
1. In IntelliJ, install or enable the old TeamCity plugin.
2. From IntelliJ menu: TeamCity -> Login -> Server URL: `http://127.0.0.1:8888`.
3. Enter a test username and password and Connect.
**Expected result (vulnerable)**: User credentials are logged to the server console.
**Expected behavior if secure**: Client validates server identity and key authenticity, credentials are not exposed to a spoofed endpoint.
### References
- https://www.cvedetails.com/cve/CVE-2020-35667/
- https://www.cvedetails.com/version-search.php?cpeMatchCriteriaId=3e994ed2-05fc-4b08-a580-fda3748d8e26
- https://www.cvedetails.com/version/1136868/Jetbrains-Teamcity-2020.2.1.html
- https://www.cvedetails.com/metasploit-modules/version-1136868/Jetbrains-Teamcity-2020.2.1.html
- https://www.cve.org/CVERecord?id=CVE-2020-35667
- https://nvd.nist.gov/vuln/detail/CVE-2020-35667
- https://cwe.mitre.org/data/definitions/918.html
- https://blog.jetbrains.com/blog/2021/02/03/jetbrains-security-bulletin-q4-2020/
- https://www.jetbrains.com/teamcity/
- https://www.youtube.com/watch?v=zqi4fDF-S60
- https://x-stream.github.io/tutorial.html
- https://en.wikipedia.org/wiki/XML-RPC
[4.0K] /data/pocs/ecda9b6afd3fa3d53fec3b396f9a27656f89aaec
├── [ 35K] ANALYSIS.md
├── [1.0K] LICENSE
├── [7.5K] poc_server.py
├── [2.9K] README.md
├── [5.9K] REPORT.md
├── [ 146] requirements.txt
└── [4.0K] screenshots
├── [259K] credentials_captured.jpg
├── [ 82K] intellij_logout.jpg
├── [128K] request_authenticate_packet.jpg
└── [136K] teamcity_intellij_plugin_v.jpg
2 directories, 10 files