666ghj MiroFish Remote Code Execution Vulnerability via Werkzeug Debugger

A remote code execution vulnerability has been identified in 666ghj MiroFish versions through 0.1.2. The issue arises from the application running in debug mode, which exposes the Werkzeug interactive debugger console to remote attackers. The debugger PIN is logged during server startup, and the SECRET required for authentication is leaked in the JavaScript source of the console page. An attacker can use this information to gain access to the debugger and execute arbitrary Python code on the server, with the same privileges as the application process user.

Impact

Exploitation of this vulnerability allows for full remote code execution on the server, as the application process user. Additionally, it enables theft of sensitive information, such as API keys from the application's environment file, access to uploaded files and simulation data, and the ability to execute commands that could compromise the host operating system.

Reproduction

To reproduce this vulnerability, first ensure that MiroFish version 0.1.2 is running with the default configuration, which includes debug mode enabled. Once the application is running, the debugger PIN can be obtained from the server logs. The SECRET can be extracted from the JavaScript source of the console page. With this information, authenticate to the debugger using the PIN and SECRET, which sets a cookie for the session. After authentication, the console can be used to execute arbitrary commands on the server.

Remediation

The vulnerability can be addressed by disabling debug mode in the application's configuration file. Change the DEBUG setting to False before deploying the application.