For whipping up a quick web app or even creating a production level web API, Flask is arguably one of the top web frameworks according to Python developer survey 2022. Developers love it because it’s lightweight, easy to use, and does not require particular tools or libraries.
One of the many cool Flask features is the interactive debug console in the browser. The interactive debug console can be very useful to quickly test what part of your code is causing issues. But in many cases, developers explicitly enable the debug console and disable the pin protection on those debug consoles.
Thus, one of the consequences is remote command execution on these applications.
For this demonstration, we will be examining two projects that disable the pin protection: (1) Umber, a course management web application and (2) Shrunk, a URL shortener for Rutgers University.
If we look under the environment file of the application, we can see that the application explicitly declares “export WERKZEUG_DEBUG_PIN=off”.
This command disables the pin protection on the debug console
Figure 1: Disabling the pin protection on the debug console
So, when we start the server, the debugger gets activated too.
Figure 2: Debugger is activated with PIN disabled
Now we can access the console web page at http://127.0.0.1:5000/console and execute our code.
Figure 3: Executing code remotely in Umber
Another project that explicitly disables the pin protection is Shrunk, an internal project developed at Rutgers University to shorten the URL.
The shrunk server is started with a shell script called start.sh
The shell script explicitly disables the pin and runs the application in the debug mode.
Figure 4: Activating debugger mode disables the pin
So, same as the first example, when we start the server, we get the prompt that the Debugger is active and the Debugger PIN is disabled. These warnings are usually disabled and if deployed in production directly, then it can compromise the application.
Figure 5: Warning that the Debugger PIN is disabled
Figure 6: Executing code remotely in Shrunk
- Always check if your application has debugger enabled before deployment.
- Limit the console access to only specific internal IP ranges.
- Make sure that if you need the debugger active, it also has debugger pin enabled.
#NCSAM #exploit #research #vicarius_blog
About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.