| Название | zhayujie CowAgent <= 2.1.0 Missing Authorization (CWE-862) |
|---|
| Описание | # Technical Details
A remote agent-driven command execution vulnerability exists in the agent-enabled web chat flow of CowAgent.
The application executes model-selected high-impact tools during normal web chat handling without a central runtime approval gate. A remote or authenticated web user can reach the agent execution loop through `POST /message` and cause the built-in `bash` tool to run shell commands with the CowAgent process user's privileges.
# Vulnerable Code
File: `channel/channel.py`
Method: `Channel.build_reply_content`
Why: Agent mode is enabled by default through `conf().get("agent", True)` and requests are forwarded into `Bridge.fetch_agent_reply(...)` without a dangerous-tool approval checkpoint.
File: `bridge/bridge.py`
Method: `Bridge.fetch_agent_reply`
Why: The bridge hands user requests directly into the agent runtime through `agent_bridge.agent_reply(...)`.
File: `agent/protocol/agent_stream.py`
Method: `AgentStreamExecutor._execute_tool`
Why: The runtime looks up the selected tool and executes `tool.execute_tool(arguments)` directly with no central confirmation barrier for dangerous tools.
File: `agent/tools/bash/bash.py`
Method: `Bash.execute`
Why: The bash tool blocks only a narrow set of sensitive patterns and dangerous commands, then executes approved commands using `subprocess.run(command, shell=True, cwd=self.cwd, ...)`.
# Reproduction
1. Run CowAgent `<= 2.1.0` with the standard web channel and agent mode enabled.
2. Configure a model provider supporting tool calls, or use an OpenAI-compatible test server that returns a `bash` tool call.
3. Send a normal web chat request to `POST /message`.
4. Consume the resulting stream through `GET /stream`.
5. Observe a `tool_start` event for the `bash` tool.
6. Confirm filesystem side effects, such as creation of `vuln-canary.txt` containing `CANARY`.
7. Run a control where the model response uses a benign command such as `ls` and confirm no canary file is created.
# Impact
- Remote or authenticated web users who can influence agent tool selection can execute shell commands.
- Successful exploitation allows arbitrary file write or overwrite in the agent workspace.
- Attackers may read or exfiltrate process-accessible local data.
- Further host or network pivoting may be possible depending on deployment permissions. |
|---|
| Источник | ⚠️ https://github.com/zhayujie/CowAgent/issues/2874 |
|---|
| Пользователь | Eric-x (UID 94869) |
|---|
| Представление | 09.06.2026 16:51 (1 месяц назад) |
|---|
| Модерация | 09.07.2026 20:38 (1 month later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 377275 [zhayujie CowAgent до 2.1.0 Message Endpoint channel/channel.py эскалация привилегий] |
|---|
| Баллы | 20 |
|---|