제출 #852865: AstrBotDevs AstrBot <= 4.25.5 Improper Link Resolution Before File Access (CWE-59)정보

제목AstrBotDevs AstrBot <= 4.25.5 Improper Link Resolution Before File Access (CWE-59)
설명# Technical Details An improper link resolution vulnerability exists in the local-runtime filesystem computer-use tools in `astrbot/core/tools/computer_tools/fs.py` of AstrBot. The application intends to restrict non-admin local-runtime users to approved workspace roots, but the authorization check validates only resolved pathname containment. It does not verify whether the final file object is a hardlink alias to a file outside the workspace. As a result, an in-workspace hardlink can be used to read or overwrite an out-of-workspace file on the same filesystem. # Vulnerable Code File: `astrbot/core/tools/computer_tools/fs.py` Method: `_is_path_within_allowed_roots` Why: The function resolves the requested path and authorizes it if the pathname is under an allowed root, without validating final inode identity or hardlink aliasing. File: `astrbot/core/tools/computer_tools/fs.py` Method: `_normalize_rw_path` Why: The function accepts the path after pathname containment checks and returns it to the read/write sinks. File: `astrbot/core/tools/computer_tools/fs.py` Method: `FileReadTool.call` Why: The read tool relies on `_normalize_rw_path()` and passes the approved path directly to the local filesystem backend. File: `astrbot/core/tools/computer_tools/fs.py` Method: `FileWriteTool.call` Why: The write tool performs the same flawed authorization flow and forwards the approved path to `sb.fs.write_file`, enabling overwrite of the outside file through the hardlink alias. # Reproduction 1. Run AstrBot `<= 4.25.5` in local runtime mode with `provider_settings.computer_use_require_admin=True`. 2. Use a non-admin `member` session with workspace access such as `data/workspaces/qq_friend_hardlink`. 3. Create an out-of-workspace file on the same filesystem that the AstrBot process can read or write. 4. Confirm that direct access such as `../outside/secret.txt` is denied by `astrbot_file_read_tool` and `astrbot_file_write_tool`. 5. Create an in-workspace hardlink, for example `linked.txt`, pointing to the outside file. 6. Read `linked.txt` through `FileReadTool.call()` and observe that the outside file content is returned. 7. Write `linked.txt` through `FileWriteTool.call()` and observe that the outside file content changes. # Impact - A non-admin local-runtime member can bypass AstrBot's workspace-only filesystem boundary. - The attacker can read host-local files outside the intended workspace if those files can be hardlinked and are readable by the AstrBot process. - The attacker can overwrite out-of-workspace files under the same hardlink and process-permission conditions. - This compromises confidentiality and integrity of files reachable under the AstrBot runtime account.
원천⚠️ https://gist.github.com/YLChen-007/d2581be79bb3caf9a032b0614dfc7728
사용자 Eric-d (UID 96861)
제출2026. 06. 09. PM 12:05 (1 월 ago)
모더레이션2026. 07. 17. PM 03:39 (1 month later)
상태수락
VulDB 항목379792 [AstrBotDevs AstrBot 까지 4.25.5 Filesystem Computer-Use Tool fs.py _normalize_rw_path 권한 상승]
포인트들20

Interested in the pricing of exploits?

See the underground prices here!