I have discovered two critical Remote Code Execution (RCE) vulnerabilities in RoboRun.
-
RCE via Behavior Write API:
The endpoint POST /api/behaviors/write allows users to write arbitrary Python code to the behaviors/ directory. The current validation only checks for the presence of 'def ' and '@behavior' and verifies Python syntax using compile(). Since these files are automatically hot-reloaded (imported) by the server, an attacker can execute arbitrary code by simply including it in the source.
-
RCE via Local Skill Installation:
The 'roborun skill add ' command allows installing local skills via symlinks. The validation function validate_skill() only checks the AST for required constants and functions, but does not prevent malicious code from being included in the skill file. Once installed, the skill is imported and executed by the server.
Impact:
An attacker can gain full control over the server and the connected robot.
Recommendation:
- Avoid executing untrusted Python code. Use a safe DSL or a highly restricted sandbox.
- If Python must be executed, use a secure sandbox (e.g., gVisor, WASM) and strict static analysis.
- Implement strict integrity checks and avoid automatic import of user-provided files.
I have discovered two critical Remote Code Execution (RCE) vulnerabilities in RoboRun.
RCE via Behavior Write API:
The endpoint POST /api/behaviors/write allows users to write arbitrary Python code to the behaviors/ directory. The current validation only checks for the presence of 'def ' and '@behavior' and verifies Python syntax using compile(). Since these files are automatically hot-reloaded (imported) by the server, an attacker can execute arbitrary code by simply including it in the source.
RCE via Local Skill Installation:
The 'roborun skill add ' command allows installing local skills via symlinks. The validation function validate_skill() only checks the AST for required constants and functions, but does not prevent malicious code from being included in the skill file. Once installed, the skill is imported and executed by the server.
Impact:
An attacker can gain full control over the server and the connected robot.
Recommendation: