| 제목 | louisho5 picobot 0.2.0 Incomplete List of Disallowed Inputs (CWE-184) |
|---|
| 설명 | # Technical Details
A dangerous-program blacklist bypass vulnerability exists in the `[ExecTool.Execute]` method in `internal/agent/tools/exec.go` of picobot.
The application fails to recursively inspect wrapped command dispatch. The blacklist only checks `argv[0]`, so a blocked payload such as `rm` can be hidden behind `/usr/bin/env bash -lc`. The command array `["/usr/bin/env","bash","-lc","rm /abs/path/to/marker.txt"]` passes validation and reaches `exec.CommandContext`, which launches `env`, dispatches `bash`, and executes the prohibited command.
# Vulnerable Code
File: `internal/agent/tools/exec.go`
Method: `ExecTool.Execute`
Why: The safety policy inspects only the top-level executable and not nested shell-wrapper execution chains, making the blacklist incomplete and bypassable.
# Reproduction
1. Run the supplied harness with a local provider that returns an `exec` tool call containing `["/usr/bin/env","bash","-lc","rm /abs/path/to/marker.txt"]`.
2. Invoke the normal `picobot agent -m` CLI path so the provider tool call is executed.
3. Confirm the marker file is deleted, while the direct control payload `["rm","/abs/path/to/marker.txt"]` is rejected.
# Impact
- Bypasses Picobot’s intended dangerous-program restrictions for the `exec` tool.
- Enables destructive command execution through wrapper-based dispatch under the Picobot process account. |
|---|
| 원천 | ⚠️ https://github.com/louisho5/picobot/issues/43 |
|---|
| 사용자 | Eric-h (UID 97582) |
|---|
| 제출 | 2026. 06. 11. AM 11:27 (1 월 ago) |
|---|
| 모더레이션 | 2026. 07. 13. PM 11:12 (1 month later) |
|---|
| 상태 | 중복 |
|---|
| VulDB 항목 | 378163 [louisho5 picobot 까지 0.2.0 exec Tool exec.go ExecTool.Execute 권한 상승] |
|---|
| 포인트들 | 0 |
|---|