Commands.execute_python() can trigger RCE vulnerable

[BACMiao]

PoC-MiniAGI-RCE

1. Commands

Summary

When using a security analysis tool to analyze MiniAGI (the latest commit branch on GitHub is d2add8f), we discovered a security risk in the miniagi.py file during initialization. The risk is triggered by the exec statement call in the Commands.execute_python() method. If developers deploy MiniAGI on a server for users to interact with and pass malicious commands directly as parameters to miniagi.py without any additional handling, MiniAGI will use the malicious command in subsequent processes to interact with the large model. The model will return malicious code based on the instructions of the malicious command, and MiniAGI will execute this malicious code in its later processing stages. The valunerable code is shown in the figure below and is marked accordingly.

PoC

Please review the fallow code:

$ python3 miniagi.py print(__import_('os').system('ls -al'))

Impact

As shown in the figure below, by executing the code __import_('os').system('ls -al'), an attacker can list all files on the server where the Agent is deployed. Similar payloads can also be used to view sensitive information (e.g., passwords) or delete files.

Weaknesses

CWE-94: Improper Control of Generation of Code ('Code Injection')

Environment information

LLM type and model name: OpenAI gpt-3.5-turbo

System version: MacOs 14.3.1

Python version: python3.12

MiniAGI version or branch: git commit <= d2add8f