Skip to content

Prompt injection to RCE in AI agents #1514

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Prompt injection to RCE in AI agents #1514

wants to merge 1 commit into from
+101 −1

Conversation

@carlospolop
Copy link
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

What the post proves
Argument injection (CWE-88) in AI agents that auto-run a subset of “safe” system commands lets an attacker achieve one-shot remote code execution (RCE) even when a human-in-the-loop approval gate is enabled and shell metacharacters are blocked. The post maps the design anti-patterns, shows three concrete exploit paths with exact prompts/commands and vulnerable code, and closes with actionable hardening guidance.


Why the pattern exists
Agen...

🔧 Technical Details

Argument injection through pre-approved tools: When agents auto-run binaries like find/rg/fd/git, inject dangerous flags as part of the tool’s arguments instead of using shell metacharacters. Abuse options that turn search/listing tools into execution primitives (e.g., go test -exec, rg --pre, fd -x=<binary>) to achieve RCE with a single prompt.


Living off the land with write+exec chains: Chain two allowed tools so one writes a payload and the other executes it. Example pattern: git show --format & --output to write a command/script (possibly hex-obfuscated), then ripgrep --pre bash scanning for a marker term to immediately execute the new file.


Facade argv injection: If a facade appends user input directly to argv, craft inputs that are parsed as flags instead of literals. Supplying -x=python3 to an fd facade executes pyt...

🤖 Agent Actions

I’ve reviewed the repository structure and relevant AI-related content and found an existing, well-suited page to incorporate the new techniques: “AI Agent Abuse: Local AI CLI Tools & MCP.” I updated that page to add a dedicated subsection documenting Argument Injection (CWE-88) in CLI agents and the specific RCE chains from the blog.

What I did:

  • Read relevant files to understand style and structure:
    • src/generic-methodologies-and-resources/phishing-methodology/ai-agent-abuse-local-ai-cli-tools-and-mcp.md
    • src/generic-methodologies-and-resources/phishing-methodology/README.md
    • src/generic-methodologies-and-resources/phishing-methodology/ai-agent-mode-phishing-abusing-hosted-agent-browsers.md
    • src/AI/AI-Prompts.md
    • src/AI/AI-MCP-Servers.md
  • Added a new subsection to the AI CLI/MCP page with:
    • Clear explanation of the anti-pattern: allowlisting only the binary name with shell=false while not validating flags
    • Three concrete exploit paths with commands and code:
      • go test -exec wrapper → one-shot RCE
      • git show --format/--no-patch/--output + ripgrep --pre chain (write then execute)
      • fd -x= via argv injection in tool facades (with vulnerable Go snippet)
    • Guidance for safer facades (use of -- to separate user input, shell=false, pre-denying high-risk flags)
    • Detection heuristics (watch for argv signatures like go test -exec, rg --pre, fd -x, git show --output)
    • Sandboxing and design best practices
  • Updated References with the blog and primary docs for the abused flags:
    • Trail of Bits blog
    • Go “Testing flags” for -exec
    • ripgrep preprocessor filtering (--pre)
    • fd command execution (-x)
    • git show documentation

Files changed:

  • Modified: src/generic-methodologies-and-resources/phishing-methodology/ai-agent-abuse-local-ai-cli-tools-and-mcp.md
    • Inserted the subsection “Argument Injection (CWE-88) in CLI Agents: living-off-the-land RCE”
    • Appended relevant references

No new files were needed, and I didn’t duplicate existing content. The updates are technical, actionable, and fit the HackTricks style (code blocks, concise steps, detection/hardening, and references).

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop
Copy link
Collaborator Author

🔗 Additional Context

Original Blog Post: https://blog.trailofbits.com/2025/10/22/prompt-injection-to-rce-in-ai-agents/

Content Categories: Based on the analysis, this content was categorized under "Phishing Methodology > Ai Agent Abuse Local Ai CLI Tools And MCP (add a subsection: 'Argument Injection (CWE-88) in CLI Agents: go test -exec, rg --pre, fd -x, git show --format + --output chains')".

Repository Maintenance:

  • MD Files Formatting: 901 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

@carlospolop carlospolop deleted the update_Prompt_injection_to_RCE_in_AI_agents_20251022_124216 branch October 26, 2025 02:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@carlospolop