Joel Eriksson's banner
Joel Eriksson's profile picture

Joel Eriksson

@OwariDa7,916 subscribers

Offensive security researcher and entrepreneur -Kernels, browsers and all that jazz- Also: - AI/ML/DL - AR/VR/XR - CTFs (pwn/re/crypto) + Cicada 3301, Boxen etc

Videos

OwariDa's profile picture

Ok, I tried the responsible disclosure route, but since the maintainers have been completely unresponsive both over email and here on X, here goes Auth bypass -> RCE on the "AgentOS" with "16 security systems", OpenFang by RightNow (YC F26) Oh and those security systems? Turns out they weren't even doing what they were supposed to do The "taint tracking" used to enforce an allowlist of commands for agents could be trivially bypassed in at least four different ways (command-splitting on |, ;, && and || but a whitelisted command followed by & cmd, `cmd`, $(cmd) and cmd works fine. Overall, they're fighting a losing game by implementing a command line parsing based sandbox rather than using an actual sandbox (using seccomp-bpf, for instance), a container or a microVM As for the AES-256-GCM based auth in the OpenFang P2P protocol, well, besides being vulnerable to a replay attack, the protocol itself is completely in plaintext after the handshake! Regarding the "WASM sandboxes", turns out they aren't actually used for anything, there's not a single WASM agent in the repo, and since rather than conforming to WASI they require implementing a completely custom API, it's unlikely that anyone would bother making a WASM based agent in the first place (not even the maintainers do, so) And as for the "Merkle audit trail", that audit trail is stored entirely in-memory, so simply restarting the daemon is enough to erase any traces of that trail Anyway, enjoy the RCE PoC!

Joel Eriksson

12,327 次观看 • 4 个月前

没有更多内容可加载