eosphoros-ai DB-GPT Remote Code Execution Vulnerability

A remote code execution vulnerability exists in eosphoros-ai DB-GPT versions through 0.7.5. The issue arises in the FastAPI endpoint '/v1/personal/agent/upload', where the plugin upload feature allows for unrestricted file uploads. Although the uploaded plugin code is supposed to undergo a security check based on its Abstract Syntax Tree (AST) structure, an attacker can still upload a malicious Python file that bypasses this check. Once the plugin is uploaded, its code is executed during the plugin loading process, specifically when the 'refresh_plugins()' function is called. This vulnerability can be exploited remotely, without any special permissions or authentication, and the code execution occurs silently, even if the plugin validation fails.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, with the executed code running under the user's privileges. In containerized deployments, this user is often root. This could lead to unauthorized access to sensitive information, such as system files, environment variables, and credentials, as well as the potential for establishing persistence on the system and moving laterally within the victim's network.

Reproduction

To reproduce this vulnerability, upload a malicious Python file disguised as a plugin through the '/v1/personal/agent/upload' endpoint. The uploaded file should contain code that exploits the vulnerability, such as a script that executes a command and writes the output to a file. After uploading the plugin, the executed command's output can be retrieved from the specified file, demonstrating that the code execution occurred.