The NetSPI Agents demonstrate how prompt injection in AI chatbots can enable remote code execution and server compromise, exposing data and infrastructure through insecure AI deployments. The post walks through a hands-on test sequence showing Python execution, a verifiable external effect, and subsequent credential access within AWS via the Instance Metadata Service. #PromptInjection #RemoteCodeExecution
Keypoints
- NetSPI Agents expose prompt-injection vulnerabilities in AI chatbots that can lead to unauthorized actions, including remote code execution.
- The chatbot architecture includes an interface that can execute Python code and interact with the underlying OS, raising security risks when untrusted inputs are accepted.
- The methodology uses prompting to elicit code execution, analyze results, and test security controls around input handling and isolation.
- An evidence chain demonstrates a verifiable external effect by having the chatbot make an HTTP GET request to a NetSPI-controlled Collaborator server.
- Attackers progress from code execution tests to a reverse shell, gaining shell access and viewing sensitive files on the hosting server.
- Exploitation extends to cloud credentials via AWS Instance Metadata Service (IMDS), enabling retrieval of AccessKeyId/SecretAccessKey and potential AWS actions.
- Recommendations emphasize strong authentication, isolation, input validation, monitoring, and regular security assessments for AI-powered systems.
MITRE Techniques
- [T1059.006] Python – Execution of Python code via the chatbot using a subprocess-like mechanism. – ‘the chatbot can execute Python code in response to specific prompts.’
- [T1059.004] Unix Shell – Reverse shell via a Python one-liner to gain shell access on the hosting server. – ‘initiate a reverse shell via a Python one-liner’
- [T1071.001] Web Protocols – The chatbot performs external network communication (HTTP) to a NetSPI Collaborator instance to demonstrate a real external effect. – ‘make a HTTP GET request to a NetSPI controlled Collaborator instance’
- [T1105] Ingress Tool Transfer – Download or retrieve the netspi.sh script from a NetSPI-controlled host to enable a writing/execution sequence. – ‘retrieve the “netspi.sh” script from a NetSPI controlled host running a Python Simple HTTP Server’
- [T1550.004] Cloud Credentials from Instance Metadata – Abuse IMDS to extract AWS credentials (AccessKeyId/SecretAccessKey) and use them to access AWS resources. – ‘request a valid token from the Instance Metadata Service (IMDS)’ and ‘With the credentials in hand, we can authenticate to the AWS account directly and begin to take actions…’
Indicators of Compromise
- [IP Address] 169.254.169.254 – AWS Instance Metadata Service used to retrieve temporary credentials and tokens.
- [File Name] netspi.sh – Bash reverse shell script used to establish a backdoor on the hosting server.
- [User] ubuntu – System user observed during the test indicating the OS environment used for code execution.
- [URL] NetSPI Collaborator instance – HTTP GET requests to a NetSPI-controlled server used to verify external effects of code execution.
- [Credential] AccessKeyId and SecretAccessKey – AWS credentials obtained via IMDS to access the target AWS account.