Share
## https://sploitus.com/exploit?id=32FD3F76-FA24-50D7-8B8E-EB54017D7821
# CVE-2026โ€“2256 PoC


## Executive Summary
A critical command injection vulnerability (CVE-2026โ€“2256, CVSS X.X) was identified in the Shell tool component of the MS-Agent framework version 1.5.2. The vulnerability arises from improper sanitization of user-influenced input that is passed directly to a shell execution context, enabling unintended command evaluation.
An attacker can exploit this flaw by injecting crafted content into data sources consumed by the agent, such as prompts, documents, logs, or research inputs, without requiring direct shell access or explicit operator misuse. As a result, arbitrary commands can be executed with the privileges of the MS-Agent process on the host system as part of the agent's normal execution flow, potentially leading to full host compromise.

- Learn more about the vulnerability: 

### Technical Details
* Affected Vendor: ModelScope
* Affected Product: MS-Agent
* Affected Version: 1.5.2
* Vulnerable Component: Shell tool
* Location: ms_agent/tools/shell/shell.py

The Shell tool is an internal MS-Agent component that allows agents to execute operating system commands on the host. It is intended to support agent workflows such as file management, directory traversal, and automation tasks by delegating command execution to the underlying OS.


## Proof of Concept (Safe Command Execution Reproducer)

### What This PoC Demonstrates
This simplified PoC shows how the `check_safe()` function in ms-agent's Shell tool can be bypassed to establish a reverse shell using **Python**.

### Prerequisites
- Python 3
- `nc` (netcat)

## Step-by-Step Testing Instructions

### Step 1: First Run (Check Bypass)
Run the PoC to verify the command bypasses security checks.
Expected output: โœ“ BYPASS SUCCESSFUL - the command passes all security checks

### Step 2: Setup Listener (New Terminal Window)
Open a **NEW terminal window** and run:

```bash
nc -l 1111
```

This starts a listener on port 1111. Leave this terminal open and waiting.

### Step 3: Execute Reverse Shell (Original Terminal)

In your original terminal, run:

```bash
./reverse_shell_poc.py --execute
```

When prompted, type `yes` and press Enter.

### Step 4: Verify Connection

Switch to the terminal with the netcat listener (from Step 2). You should now have a shell prompt!

Try commands like:
- `whoami` - see your username
- `pwd` - see current directory
- `ls` - list files
- `exit` - close the connection

## What's Happening?

1. **Bypass Technique**: Uses `python3` to execute arbitrary code
2. **Why It Works**: `python3` is NOT in the blocked commands list
3. **Security Impact**: Full command execution despite security checks

## The Vulnerability

The `check_safe()` function blocks commands like:
- `sudo`, `rm -rf /`, `chmod`, `curl | bash`, etc.

But it **does NOT block**:
- `python3` (arbitrary code execution)
- `nc` (netcat - network connections)
- `perl`, `ruby`, `node` (other interpreters)

## Key Findings

This demonstrates a **CRITICAL vulnerability**:
- โœ— Incomplete blocklist of dangerous commands
- โœ— Python can execute any arbitrary code
- โœ— Can bypass all security checks
- โœ— Achieves full reverse shell access

## Cleanup

After testing, you can remove the test directory:

```bash
rm -rf /tmp/test_output
```

## Note

This is a **localhost-only** demonstration (connects to 127.0.0.1). This PoC intentionally avoids remote connectivity to reduce abuse risk.