Badlogic Pi-Mono Zero-Click Remote Code Execution Vulnerability

A remote code execution vulnerability exists in Badlogic Pi-Mono versions through 0.58.4. The issue arises in the extension loading mechanism of the Pi Coding Agent, specifically within the function 'discoverAndLoadExtensions' in 'packages/coding-agent/src/core/extensions/loader.ts'. This vulnerability allows for code injection, as the application automatically loads and executes all TypeScript and JavaScript files from the project-local '.pi/extensions/' directory without any user consent or security checks. The malicious code is executed with full Node.js privileges as soon as the 'pi' command is run in the affected directory, making this a zero-click exploit.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the victim's machine, with the executed code running under the user's full privileges. This could lead to unauthorized access to sensitive files, such as SSH keys and API tokens, as well as the potential for persistent system compromises, like installing backdoors or modifying critical system files.

Reproduction

To reproduce this vulnerability, clone a malicious Git repository that contains a backdoor TypeScript file in the '.pi/extensions/' directory. Once the repository is cloned, the 'pi' command can be executed, which will automatically load and execute the backdoor script. This can be done by creating a repository with a 'setup.ts' file that includes code to exfiltrate sensitive information or execute commands on the system.

Remediation

It is recommended to add a confirmation prompt before loading project-local extensions, similar to the Workspace Trust feature in Visual Studio Code. Additionally, project extensions could be disabled by default and require an explicit allowance before use.