I want to implement a detection plugin for CVE-2024-3408
Software Detail: D-Tale is the combination of a Flask back-end and a React front-end to bring you an easy way to view & analyze Pandas data structures. It integrates seamlessly with ipython notebooks & python/ipython terminals. Currently this tool supports such Pandas objects as DataFrame, Series, MultiIndex, DatetimeIndex & RangeIndex.
Vulnerability Detail: dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded SECRET_KEY in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled. Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the /update-settings endpoint, even when enable_custom_filters is not enabled. This vulnerability allows attackers to bypass authentication mechanisms and execute remote code on the server.
Remarks: I have tested and verified both Authentication bypass and RCE parts in my side. RCE payload is a regular one, but Authentication bypass part is very tricky. Normally dtale uses Flask session cookies for the authentication, and Flask uses a Python library called ItsDangerous for the cookie creation. This Python library/module helps to sign an authentication payload and a timestamp value with a SECRET_KEY and SALT value (check URLSafeTimedSerializer class) and create a signature to use it in a specially crafted session cookie value. This is what Flask does and this application uses for the authentication. To detect Authentication bypass part with Tsunami, I read the source code of ItsDangerous module and achieved the Java implementation of this signing and serialization process. Normally, (afaik) there is no module or packet in Java for this serialization (I tested the existing two ones with 0 stars, but they were not working). Therefore, implementing a plugin detector for this vulnerability will contain this signing stub, and I believe that this code stub might help in the future for other potential Flask related vulnerability plugins.
Hi,
I want to implement a detection plugin for CVE-2024-3408
Software Detail: D-Tale is the combination of a Flask back-end and a React front-end to bring you an easy way to view & analyze Pandas data structures. It integrates seamlessly with ipython notebooks & python/ipython terminals. Currently this tool supports such Pandas objects as DataFrame, Series, MultiIndex, DatetimeIndex & RangeIndex.
Vulnerability Detail: dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded SECRET_KEY in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled. Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the /update-settings endpoint, even when enable_custom_filters is not enabled. This vulnerability allows attackers to bypass authentication mechanisms and execute remote code on the server.
Remarks: I have tested and verified both Authentication bypass and RCE parts in my side. RCE payload is a regular one, but Authentication bypass part is very tricky. Normally dtale uses Flask session cookies for the authentication, and Flask uses a Python library called ItsDangerous for the cookie creation. This Python library/module helps to sign an authentication payload and a timestamp value with a SECRET_KEY and SALT value (check URLSafeTimedSerializer class) and create a signature to use it in a specially crafted session cookie value. This is what Flask does and this application uses for the authentication. To detect Authentication bypass part with Tsunami, I read the source code of ItsDangerous module and achieved the Java implementation of this signing and serialization process. Normally, (afaik) there is no module or packet in Java for this serialization (I tested the existing two ones with 0 stars, but they were not working). Therefore, implementing a plugin detector for this vulnerability will contain this signing stub, and I believe that this code stub might help in the future for other potential Flask related vulnerability plugins.
Ref: https://github.com/man-group/dtale Ref: https://huntr.com/bounties/57a06666-ff85-4577-af19-f3dfb7b02f91