AGiXT, Path Traversal Vulnerability, CVE-2024-XXXX (High)

Listen to this Post

How the mentioned CVE works

The vulnerability exists in the `safe_join()` function within the `essential_abilities` extension of AGiXT. This function is intended to prevent path traversal by normalizing user-supplied paths and joining them with a safe working directory. However, the implementation fails to validate that the resolved absolute path still resides inside the designated agent workspace. An attacker with a valid API key can call the read_file, write_file, or `delete_file` commands. The command arguments include a `filename` parameter that accepts directory traversal sequences like ../../. The execution flow starts at `Extension.py:165` where `command_args` are taken from user input. It then passes through `XT.py:1035` into the extension dispatcher. Finally, at essential_abilities.py:436, `os.path.normpath()` and `os.path.join()` are used without a boundary check. The normalized path may escape the working directory, giving the attacker access to arbitrary filesystem locations. This leads to unauthorized file read, write, or delete operations on the host server. The attack requires no special privileges beyond a valid API key. The provided Proof of Concept successfully reads `/etc/passwd` by sending a POST request to `/api/agent/MyAgent/command` with the payload {"command_name": "read_file", "command_args": {"filename": "../../etc/passwd"}}.

dailycve form

Platform: AGiXT
Version: <=1.9.1
Vulnerability: Path traversal
Severity: High
date: 2024-06-15

Prediction: 2024-08-01

What Undercode Say:

Check for vulnerable AGiXT version
pip show agixt | grep Version
Simulate exploit with curl
curl -X POST http://localhost:7437/api/agent/MyAgent/command \
-H "Authorization: Bearer <API_KEY>" \
-H "Content-Type: application/json" \
-d '{"command_name":"read_file","command_args":{"filename":"../../etc/passwd"}}'
Monitor file access attempts via auditd
auditctl -w /etc/passwd -p rwa -k agixt_traversal

Exploit:

Authenticated attacker sends crafted JSON with `../` sequences to any file command. The server does not restrict the resolved path, allowing read/write/delete outside WORKING_DIRECTORY. Example: "filename": "../../../.ssh/id_rsa".

Protection from this CVE

Upgrade to AGiXT >1.9.1 (patch expected Aug 2024). Use `os.path.realpath()` and verify prefix against WORKING_DIRECTORY. Implement input sanitization that rejects any path containing ... Restrict API key permissions and run AGiXT inside a container with read-only root filesystem.

Impact

Arbitrary file read (credentials, configs, source code), file write (webshell, cron jobs, SSH keys), file deletion (DoS, log tampering). Complete host compromise possible if server stores sensitive data. Authentication required but no extra privileges needed.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top