zhayujie chatgpt-on-wechat CowAgent Unauthenticated Remote Code Execution Vulnerability

A critical vulnerability allowing unauthenticated remote code execution has been identified in zhayujie chatgpt-on-wechat CowAgent versions 2.0.0 through 2.0.4. The issue arises from the Agent Mode Service, which is enabled by default and allows AI agents to access system-level tools, including a bash shell, file read/write capabilities, and web fetching. The vulnerability stems from the Web Console being exposed on all network interfaces at port 9899, without any authentication on key endpoints, such as '/message', which accepts chat instructions. This lack of authentication enables any remote attacker to send commands that the AI Agent will execute, effectively leveraging the Agent's OS-level access.

Impact

Exploitation of this vulnerability allows for arbitrary execution of operating system commands as the user running the application. This includes the ability to create and modify files, read sensitive information from the file system, and access network resources. The vulnerability could also be exploited to establish persistent access to the system by creating scheduled tasks or modifying user profiles.

Reproduction

To reproduce this vulnerability, send an unauthenticated HTTP POST request to the '/message' endpoint on the exposed Web Console. Include a command to be executed in the bash shell as part of the message. The AI Agent will process the request and execute the command, with the response indicating the success of the operation. This vulnerability has been verified on chatgpt-on-wechat version 2.0.4.

Remediation

Users are advised to add authentication to all Web Console endpoints and change the default server binding to localhost. Additionally, the application should replace the current command blocklist with a more effective allowlist, and implement a user confirmation step before executing bash commands.