Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Debugger security enhancements #3020

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Debugger security enhancements #3020

wants to merge 3 commits into from

Conversation

Grezzo
Copy link

@Grezzo Grezzo commented Jan 23, 2025

This pull request introduces 2 changes:

  • Number of pin-based failed authentication attempts before the debugger is locked (brute force protection) has been reduced from 11 to 10. This was because 11 seemed like an odd number to choose and I think it's likely that the intention was 10 but it is off-by-one.
  • Even when the debugger was locked due to too many failed authentication attempts, it was still possible to authenticate using a cookie. This change prevents cookie-based authentication when the debugger is locked for pin-based authentication.

These changes enhance the security of the debugger because it is possible to generate a cookie if knowledge of the environment is known (i.e. APPNAME, CGROUP, FLASKPATH, MACADDRESS, MACHINEID, MODULENAME & SERVICEUSER). It may be possible to access enough information about the environment if the application using werkzeug contains a vulnerability such as arbitrary file read, e.g. using path traversal. This could result in the debugger being used to turn a medium-risk vulnerability into a critical-risk one (i.e. remote code execution).

An exploit module for Metasploit is publicly available that will generate a cookie when provided with the required information (disclaimer: I am the author of the module, but I also want to improve the security of werkzeug, even though it will make the exploit less effective).

Grezzo and others added 3 commits January 22, 2025 18:43
@Grezzo
10 incorrect pins lock debugger
8db043a 
Behaviour used to be when 11 incorrect pins were entered, the debugger would be locked. I assume was an off-by-one mistake and it was intended to be 10. This change causes teh debugger to become locked when an incorrect pin is entered 10 times.
@Grezzo
Reject debug cookie if pin exhausted
85ffb84 
If the debugger was locked because too many failed authentications had occurred, it was still possible to authenticate using a cookie.

This change rejects authentication even using a cookie when too many pin-based authentications have occurred.
@pre-commit-ci-lite
[pre-commit.ci lite] apply automatic fixes
7703c2b
@Grezzo
Copy link
Author

Grezzo commented Jan 23, 2025
edited
Loading

One of the checks failed (readthedocs). I don't believe this is under my control and is an error due to a change in the behaviour of readthedocs. I tried to fix this in a different pull request but was unsuccessful.

I suggest that this pull request has the security tag applied.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Grezzo