Sunday, 21 December 2014

Remote code execution on misconfigured systems using Werkzeug

One of the most popular WSGI utility frameworks for Python is Werkzeug. It simplifies the handling of HTTP connections within your Python application but also provides a powerful debugger that permits one to execute code from within the browser.

While the provided link warns those to not enable the debugger on anything production, it is often ignored or forgotten about and ends up being enabled in the first place. It is possible to search for systems on the Internet that have the debugger enabled and execute Python code remotely.

It should be noted that this affects both the Flask and Django frameworks mainly but could be used elsewhere.

Revealing and using the debugger

Getting the debugger to reveal itself is fairly simple: cause an exception. This can be achieved by writing some faulty code or by simply making it happen yourself such as in this code example using the Flask framework:
from flask import Flask

app = Flask(__name__)

def main():
All you need to do is execute the above as a Python script and the following should be outputted:
$ python
 * Running on
 * Restarting with reloader...
Now view the page via the URL it provides and you'll have access to the debugger as follows:

And as you can see it is pretty straightforward too:
You can view the code by highlighting over the code on the right.

Python code can be executed as if you were running the interpreter locally.

Finding affected hosts

Finding hosts is trivial using a search engine such as Google or a service like Shodan.

At the time of this writing, using Google does not net any results but previously during some research on this matter it did. It appears that any services that are indexed are being taken down fairly quickly.

If you wanted to try a Google search for the future, this search may provide a result:
intitle:"Werkzeug Debugger" "You can execute arbitrary Python code in the stack frames"
However, Shodan makes it easier to find servers that specifically run Werkzeug.

Finding servers that error out is fairly simple.
Some fine-tuning is required to find hosts that can have the code executed but they are there.

It should be noted that the debugger can be activated even without executing the HTTP server internally. Documentation exists that allows one to enable the debugger via Apache if you so dare.

It goes without saying that you should not execute any code if you run across a machine that has the debug mode enabled.

Preventing your application from being vulnerable

If you're developing an application that makes use of Werkzeug, you should avoid hard-coding a debug mode into it.

My suggestion is to try something like this:
import sys
if __name__ == '__main__':
    debug = 'debug' in sys.argv
This should require you to add 'debug' to the command line arguments when running the code, allowing you to just leave it to local development.


  1. This was a really great contest and hopefully I can attend the next one. It was alot of fun and I really enjoyed myself.. blog

  2. Houses and installations: Termites attack houses built with mud bricks (ie soft and ants enter the house slowly and then permeates the home furniture and is eliminated and also attacks concrete houses, windows and wooden doors and also permeates the walls and various human property, such as; records, papers , And books.
    شركة مكافحة حشرات بالرس
    شركة رش مبيدات بالرس
    ارخص شركة مكافحة حشرات

  3. Excellent and very exciting site. Love to watch. Keep Rocking. fucili seconda guerra mondiale softair

  4. Thank you for taking the time to publish this information very useful! should i buy facebook reviews

  5. I would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well. In fact your creative writing abilities has inspired me to start my own Blog Engine blog now. Really the blogging is spreading its wings rapidly. Your write up is a fine example of it. 토토사이트

  6. In 2018, significantly more than 29 million persons bought jewelry online daily. So buying and offering jewelry online is a big company and can be massively lucrative! With numbers like... huffexpress

  7. Nice information, valuable and excellent design, as share good stuff with good ideas and concepts, lots of great information and inspiration, both of which I need, thanks to offer such a helpful information here. pay weekly sofas

  8. Thank you for taking the time to publish this information very useful!
    my pay weekly furniture

  9. Good to become visiting your weblog again, it has been months for me. Nicely this article that i've been waited for so long. I will need this post to total my assignment in the college, and it has exact same topic together with your write-up. Thanks, good share. elephant CNC,

  10. This comment has been removed by the author.

  11. I really loved reading your blog. It was very well authored and easy to undertand. Unlike additional blogs I have read which are really not tht good. I also found your posts very interesting. In fact after reading, I had to go show it to my friend and he ejoyed it as well! buy likes and likes instagram uk

  12. This comment has been removed by the author.

  13. thank you for your interesting infomation. Vancouver SEO Company

  14. Thanks for your post. I’ve been thinking about writing a very comparable post over the last couple of weeks, I’ll probably keep it short and sweet and link to this instead if thats cool. Thanks. Vancouver SEO Company

  15. Leader in developing embedded system projects, providing Engineering and SCADA solutions using Raspberry pi, Arduino and more....

  16. I wanted to thank you for this great read!! I definitely enjoying every little bit of it I have you bookmarked to check out new stuff you post. SEO Vancouver

  17. Most WiFi devices have a range, within which they can operate in an efficient manner, and this will generally be somewhere around 30 yards. wifi router

  18. I finally found great post here.I will get back here. I just added your blog to my bookmark sites. thanks.Quality posts is the crucial to invite the visitors to visit the web page, that's what this web page is providing. dumps with pins

  19. Welcome to the party of my life here you will learn everything about me.

  20. Easily, the article is actually the best topic on this registry related issue. I fit in with your conclusions and will eagerly look forward to your next updates. blog comment

  21. Your initial step is to purchase the correct materials and devices and afterward take them to your home, which will cost you a lot of time and exertion.

  22. sufficient water with every pass to obtain maximum compaction. To each layer add a fine layer of sand or quarry dust forced into the hardcore by a rolling vibrator. floor bed

  23. Thanks for a very interesting blog. What else may I get that kind of info written in such a perfect approach? I’ve a undertaking that I am simply now operating on, and I have been at the look out for such info. custom boxes wholesale

  24. If you choose our Digital marketing services get ready to experience game-changing growth! We treat your business like our business to reap the desired results.  Professional logo design services

  25. In any case, there are opportunities to get them snared and returning when they are more seasoned. In any case, when searching for the best methodology for Instagram, xemailextractor

  26. Nice post! This is a very nice blog that I will definitively come back to more times this year! Thanks for informative post. kt blogger

  27. There may even be a theme involved such as a tree house, camping tent, or princess's palace. For extreme space efficiency, there is even a triple bunk bed that fits three tiers in the same space as a standard one. toddler bunk bed with slide