ModelScope MS-Agent Command Injection Vulnerability Allowing Arbitrary Command Execution

A command injection vulnerability has been identified in ModelScope's MS-Agent framework, specifically in versions through 1.6.0rc1. The issue arises in the Shell tool component, where user-influenced input is not properly sanitized before being executed as operating system commands. This vulnerability allows an attacker to execute arbitrary commands on the host system with the same privileges as the MS-Agent process.

Impact

Exploitation of this vulnerability leads to arbitrary command execution on the host system, potentially allowing for full system compromise. Commands executed in this context can modify or delete files, access sensitive data such as API keys and tokens, and establish persistence mechanisms.

Reproduction

The vulnerability can be reproduced by injecting crafted input into prompts or documents that the MS-Agent framework will process. This input can include commands that bypass the application's regex-based filtering and are executed via the Shell tool.

Remediation

No official patch is available. Users are advised to deploy MS-Agent only in trusted environments and to sandbox agents with shell execution capabilities.