I Spent $500 To Test Devin For Prompt Injection So That You Don't Have To · Embrace The Red
We will cover Devin proof-of-concept exploits in multiple posts over the next few days. In this first post, we show how a prompt injection payload hosted on a website leads to a full compromise of Devin’s DevBox.
By planting instructions on a website or GitHub issue that Devin processes, it can be tricked to download malware and launch it. This leads to full system compromise and turns Devin into a remote-controlled ZombAI. Any exposed secrets can then be leveraged to perform lateral movement, or other post-exploitation steps.
First, I had to set up a few infrastructure components for the C2 server. Luckily this is something I typically have handy, so it was quite quick to set up.
As a command & control system I used Sliver from Bishop Fox. I hosted a Sliver server and generated a Linux malware binary with Sliver that will call back and allow remote control of any host that launches the binary.
The key trick here is to have Devin navigate off domain (e.g. away from GitHub to the attacker’s page). This is not a requirement, but it appears to be a lot more reliable that way, and better simulates real-world risk. But I observed it followed more complex instructions directly from GitHub also.
