| 标题 | NousResearch hermes-agent 5157f5427f19488b31c6fdebbacd15d798ce7f63 OS Command Injection (CWE-78) |
|---|
| 描述 | # Technical Details
A Terminal Tool Command Detection bypass exists in the `detect_dangerous_command` pattern matching checking in `tools/approval.py` of hermes-agent.
The application fails to semantically comprehend alternate UNIX execution routines, maintaining purely syntactical feature verification. It blocks `curl xxx | bash` but fails to block semantic equivalents like `eval $(curl...)`.
# Vulnerable Code
File: tools/approval.py
Method: detect_dangerous_command (Regex Patterns)
Why: The `DANGEROUS_PATTERNS` regex list explicitly targets piping content to execution `(r'\b(curl|wget)\b.*\|\s*(ba)?sh\b')`. Wrapping remote downloads in command substitutions dispatched through `eval` subverts the syntactic pattern analysis without altering semantic execution, thereby evading the interactive confirmation prompt flow.
# Reproduction
1. Prompt the Agent into using the `terminal_tool` executing an alternate command style: e.g., `eval $(curl...)`.
2. The regex verification engine attempts matching the input command and returns safe natively.
3. The execution is handed to `bash` without prompting user confirmation interfaces.
4. The shell interprets `eval` and silently executes the remote text.
# Impact
- Remote Code Execution (RCE) via prompt injection.
- Total neutralization of the agent's built-in sandbox and prompt approval mechanisms, functioning effectively as silent zero-click payload execution. |
|---|
| 来源 | ⚠️ https://gist.github.com/YLChen-007/75fb10319693e86106ced2ef3a472c80 |
|---|
| 用户 | Eric-i (UID 97584) |
|---|
| 提交 | 2026-04-24 15時01分 (1 月前) |
|---|
| 管理 | 2026-05-23 12時33分 (29 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 365330 [NousResearch hermes-agent 直到 5157f5427f19488b31c6fdebbacd15d798ce7f63 terminal_tool tools/approval.py detect_dangerous_command 权限提升] |
|---|
| 积分 | 20 |
|---|