Fosowl agenticSeek Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Fosowl agenticSeek version 0.1.0. The issue arises in the query endpoint, specifically within the PyInterpreter.execute function of the sources/tools/PyInterpreter.py file. This vulnerability allows for code injection, as the application executes LLM-generated code without proper sandboxing or restrictions. The optional safe_mode feature is disabled by default and relies on a flawed blocklist that can be easily bypassed.

Impact

Exploitation of this vulnerability leads to unauthorized remote code execution on the server, with the executed code running in the context of the user process. This allows for arbitrary commands to be executed, potentially leading to a complete system compromise.

Reproduction

To reproduce this vulnerability, send an unauthenticated POST request to the /query endpoint with a payload that includes LLM-generated code. The PyInterpreter will execute the code using Python's exec() function, with full access to the os and sys modules, as well as the entire __builtins__ namespace. There are no restrictions on the execution environment, allowing for unrestricted code execution on the server.

Remediation

To address this vulnerability, it is recommended to replace the exec() function with subprocess-based execution in a separate process with restricted permissions. Additionally, the application should be sandboxed using Docker containers with network, filesystem, and resource limits. The safe_mode feature should be enabled by default, and the blocklist should be replaced with an allowlist of safe commands.