| शीर्षक | NousResearch hermes-agent 5157f5427f19488b31c6fdebbacd15d798ce7f63 OS Command Injection (CWE-78) |
|---|
| विवरण | # Technical Details
A Terminal Tool Command Detection bypass exists in the `detect_dangerous_command` pattern matching checking in `tools/approval.py` of hermes-agent.
The application fails to semantically comprehend alternate UNIX execution routines, maintaining purely syntactical feature verification. It blocks `curl xxx | bash` but fails to block semantic equivalents like `eval $(curl...)`.
# Vulnerable Code
File: tools/approval.py
Method: detect_dangerous_command (Regex Patterns)
Why: The `DANGEROUS_PATTERNS` regex list explicitly targets piping content to execution `(r'\b(curl|wget)\b.*\|\s*(ba)?sh\b')`. Wrapping remote downloads in command substitutions dispatched through `eval` subverts the syntactic pattern analysis without altering semantic execution, thereby evading the interactive confirmation prompt flow.
# Reproduction
1. Prompt the Agent into using the `terminal_tool` executing an alternate command style: e.g., `eval $(curl...)`.
2. The regex verification engine attempts matching the input command and returns safe natively.
3. The execution is handed to `bash` without prompting user confirmation interfaces.
4. The shell interprets `eval` and silently executes the remote text.
# Impact
- Remote Code Execution (RCE) via prompt injection.
- Total neutralization of the agent's built-in sandbox and prompt approval mechanisms, functioning effectively as silent zero-click payload execution. |
|---|
| स्रोत | ⚠️ https://gist.github.com/YLChen-007/75fb10319693e86106ced2ef3a472c80 |
|---|
| उपयोगकर्ता | Eric-i (UID 97584) |
|---|
| सबमिशन | 24/04/2026 03:01 PM (1 महीना पहले) |
|---|
| संयम | 23/05/2026 12:33 PM (29 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 365330 [NousResearch hermes-agent तक 5157f5427f19488b31c6fdebbacd15d798ce7f63 terminal_tool tools/approval.py detect_dangerous_command अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|