| Название | NousResearch hermes-agent 5157f5427f19488b31c6fdebbacd15d798ce7f63 OS Command Injection (CWE-78) |
|---|
| Описание | # Technical Details
A Terminal Tool Command Detection bypass exists in the `detect_dangerous_command` pattern matching checking in `tools/approval.py` of hermes-agent.
The application fails to semantically comprehend alternate UNIX execution routines, maintaining purely syntactical feature verification. It blocks `curl xxx | bash` but fails to block semantic equivalents like `eval $(curl...)`.
# Vulnerable Code
File: tools/approval.py
Method: detect_dangerous_command (Regex Patterns)
Why: The `DANGEROUS_PATTERNS` regex list explicitly targets piping content to execution `(r'\b(curl|wget)\b.*\|\s*(ba)?sh\b')`. Wrapping remote downloads in command substitutions dispatched through `eval` subverts the syntactic pattern analysis without altering semantic execution, thereby evading the interactive confirmation prompt flow.
# Reproduction
1. Prompt the Agent into using the `terminal_tool` executing an alternate command style: e.g., `eval $(curl...)`.
2. The regex verification engine attempts matching the input command and returns safe natively.
3. The execution is handed to `bash` without prompting user confirmation interfaces.
4. The shell interprets `eval` and silently executes the remote text.
# Impact
- Remote Code Execution (RCE) via prompt injection.
- Total neutralization of the agent's built-in sandbox and prompt approval mechanisms, functioning effectively as silent zero-click payload execution. |
|---|
| Источник | ⚠️ https://gist.github.com/YLChen-007/75fb10319693e86106ced2ef3a472c80 |
|---|
| Пользователь | Eric-i (UID 97584) |
|---|
| Представление | 24.04.2026 15:01 (1 месяц назад) |
|---|
| Модерация | 23.05.2026 12:33 (29 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 365330 [NousResearch hermes-agent до 5157f5427f19488b31c6fdebbacd15d798ce7f63 terminal_tool tools/approval.py detect_dangerous_command эскалация привилегий] |
|---|
| Баллы | 20 |
|---|