제출 #853105: zhayujie CowAgent <= 2.1.0 Missing Authorization (CWE-862)정보

제목zhayujie CowAgent <= 2.1.0 Missing Authorization (CWE-862)
설명# Technical Details A remote agent-driven command execution vulnerability exists in the agent-enabled web chat flow of CowAgent. The application executes model-selected high-impact tools during normal web chat handling without a central runtime approval gate. A remote or authenticated web user can reach the agent execution loop through `POST /message` and cause the built-in `bash` tool to run shell commands with the CowAgent process user's privileges. # Vulnerable Code File: `channel/channel.py` Method: `Channel.build_reply_content` Why: Agent mode is enabled by default through `conf().get("agent", True)` and requests are forwarded into `Bridge.fetch_agent_reply(...)` without a dangerous-tool approval checkpoint. File: `bridge/bridge.py` Method: `Bridge.fetch_agent_reply` Why: The bridge hands user requests directly into the agent runtime through `agent_bridge.agent_reply(...)`. File: `agent/protocol/agent_stream.py` Method: `AgentStreamExecutor._execute_tool` Why: The runtime looks up the selected tool and executes `tool.execute_tool(arguments)` directly with no central confirmation barrier for dangerous tools. File: `agent/tools/bash/bash.py` Method: `Bash.execute` Why: The bash tool blocks only a narrow set of sensitive patterns and dangerous commands, then executes approved commands using `subprocess.run(command, shell=True, cwd=self.cwd, ...)`. # Reproduction 1. Run CowAgent `<= 2.1.0` with the standard web channel and agent mode enabled. 2. Configure a model provider supporting tool calls, or use an OpenAI-compatible test server that returns a `bash` tool call. 3. Send a normal web chat request to `POST /message`. 4. Consume the resulting stream through `GET /stream`. 5. Observe a `tool_start` event for the `bash` tool. 6. Confirm filesystem side effects, such as creation of `vuln-canary.txt` containing `CANARY`. 7. Run a control where the model response uses a benign command such as `ls` and confirm no canary file is created. # Impact - Remote or authenticated web users who can influence agent tool selection can execute shell commands. - Successful exploitation allows arbitrary file write or overwrite in the agent workspace. - Attackers may read or exfiltrate process-accessible local data. - Further host or network pivoting may be possible depending on deployment permissions.
원천⚠️ https://github.com/zhayujie/CowAgent/issues/2874
사용자
 Eric-x (UID 94869)
제출2026. 06. 09. PM 04:51 (1 월 ago)
모더레이션2026. 07. 09. PM 08:38 (1 month later)
상태수락
VulDB 항목377275 [zhayujie CowAgent 까지 2.1.0 Message Endpoint channel/channel.py 권한 상승]
포인트들20

Do you know our Splunk app?

Download it now for free!