intro

TeamCity and Portainer are popular tools for DevOps purpose to automate the CI/CD pipeline. This case study summarises some popular exploits against these two packages.

TeamCity

• CVE-2023-42793: In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible. This can be utilised to create an administrative account on the system.

https://www.exploit-db.com/exploits/51884

• CVE-2024-27198: In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible. This can be used to achieve RCE on the hosting server; usually as tcuser.

https://github.com/W01fh4cker/CVE-2024-27198-RCE

• TeamCity defines several environment variables that can help with diagnosis, where TEAMCITY_DATA_PATH often contains useful information.

TEAMCITY_BIN_DIRECTORY
TEAMCITY_DIST
TEAMCITY_LOGS_PATH
TEAMCITY_DATA_PATH

• TeamCity often provides a backup feature that can be used to backup certain files/data-systems: https://teamcity_url/admin/admin.html?item=backup

# backup folder is located here:
$TEAMCITY_DATA_PATH/backup

• Note: by default, TeamCity uses its internal hyper sql database (i.e HSQLDB), but it’s always recommended to use an external data storage system for production

Portainer

Portainer is your container management software to deploy, troubleshoot, and secure applications across cloud, datacenter, and Industrial IoT use cases.

One can use portainer to create volumes, containers etc. Note, a popular approach is to create a volume that emulates the entrypoint to the host’s root file system (i.e /).

• Volume creation for portainer can be found here: https://docs.portainer.io/user/docker/volumes/add#adding-a-tmpfs-volume. To create a volume, you need to define some driver options:

device    /dev/<sda#>
type      ext4
o         defaults

It is important to understand what this means. You can refer to your /etc/fstab for some examples. Let’s take a look at the following examples:

# <file system>        <dir>         <type>    <options>
/dev/sda2              /             ext4      defaults
/dev/sda5              swap          swap      defaults

* <file systems> - defines the storage device (i.e. /dev/sda1).
* <dir> - tells the mount command where it should mount the <file system> to.
* <type> - defines the file system type of the device or partition to be mounted.
* <options> - define particular options for filesystems.

# for more detail, see here: https://wiki.debian.org/fstab

• Once you have a volume created as above, you can attach the volume to a container and gain access to the host’s root file system.

Support meowmeow

If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack