AutoGPT Remote Code Execution Vulnerability via Disabled Block Execution

A remote code execution vulnerability exists in AutoGPT Platform versions prior to autogpt-platform-beta-v0.6.44. The issue arises in the block execution endpoints of both the main web API and external API, where blocks can be executed by UUID without verifying the 'disabled' status. This flaw allows any authenticated user to execute the 'BlockInstallationBlock', which can write and execute arbitrary Python code on the server. In default self-hosted deployments with Supabase signup enabled, an attacker can self-register. If signup is disabled, an existing account is required.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary code on the server, potentially leading to a complete compromise of the server. This includes access to all user data, credentials, and API keys stored in the database, as well as environment variables containing cloud credentials and secrets. The vulnerability also allows for lateral movement to connected infrastructure such as Redis, PostgreSQL, and cloud services, and the installation of a persistent backdoor.

Reproduction

To reproduce this vulnerability, an authenticated user can execute the 'BlockInstallationBlock' via the main web API or the external API. The execution can be done by sending a POST request to the block execution endpoint with the UUID of the disabled block. The request must include the session cookie for authentication. Alternatively, an API key with 'EXECUTE_BLOCK' permission can be minted and used to call the external block execution route.

Remediation

Users can update to AutoGPT Platform version autogpt-platform-beta-v0.6.44 or later, where this vulnerability has been fixed.