zhayujie chatgpt-on-wechat CowAgent Unauthenticated Administrative API Access Vulnerability

A critical vulnerability has been identified in zhayujie chatgpt-on-wechat CowAgent version 2.0.4 and earlier. The issue arises from the Administrative HTTP Endpoint, which lacks authentication, allowing unauthenticated remote attackers to access and manipulate sensitive application data. Exploitation of this vulnerability could lead to unauthorized access to API keys, modification of application configuration, interception of user conversations, and unauthorized access to application logs and memory content.

Impact

Exploitation of this vulnerability allows for complete administrative access to the application, including the ability to modify configuration files, upload arbitrary files, and access sensitive logs and memory content. Additionally, it enables the theft of API keys by redirecting API requests through an attacker-controlled server, and the injection of credentials for various messaging channels, which could be exploited to activate those channels and start network services on the server.

Reproduction

The vulnerability can be reproduced by sending a request to the '/config' endpoint to read the application configuration, including API keys. After intercepting the API key, a request can be sent to the '/config' endpoint to redirect the OpenAI API base to an attacker-controlled server. This change is persisted to the application's config.json file, surviving restarts. The '/api/logs' endpoint can then be accessed to stream application logs, which contain admin passwords and API keys in plaintext.

Remediation

To address this vulnerability, it is recommended to implement authentication middleware for all Web Console endpoints, bind the application to localhost by default instead of '0.0.0.0', add CSRF protection for state-changing endpoints, and implement rate limiting to prevent brute-force attacks.