Submit #856825: nextlevelbuilder GoClaw 3.13.2 Incorrect Authorization (CWE-863)info

Titelnextlevelbuilder GoClaw 3.13.2 Incorrect Authorization (CWE-863)
Beschreibung# Technical Details An Exec Approval Bypass via BusyBox-wrapped `allow-always` exists in the `RequestApproval()` method in `internal/tools/exec_approval.go` of GoClaw. The application's approval cache persists `allow-always` decisions using only `extractBin(command)`, which returns the basename of the first token (e.g., `busybox`). This means once an operator permanently approves one BusyBox-wrapped shell command (`busybox sh -c 'echo warmup-ok'`), all subsequent `busybox sh -c ...` payloads bypass re-approval because they resolve to the same cache key. # Vulnerable Code File: internal/tools/exec_approval.go Method: RequestApproval() and matchesAllowlist() Why: `RequestApproval()` persists `allow-always` using only `extractBin(command)` which returns `filepath.Base(fields[0])`. `matchesAllowlist()` later checks only that same extracted basename. For `/usr/bin/busybox sh -c '...'`, the stored trust key is `busybox`, and any subsequent `busybox sh -c '<arbitrary payload>'` matches the same key, executing without new approval. # Reproduction 1. Configure GoClaw with `tools.execApproval.security=full` and `ask=on-miss`. 2. Approve `/usr/bin/busybox sh -c 'echo warmup-ok'` with `allow-always` via the WebSocket approval endpoint. 3. Invoke `/usr/bin/busybox sh -c 'id > marker'` via `POST /v1/tools/invoke`. 4. Observe: no second approval event, HTTP 200 returned, and `marker` file contains `uid=0(root)`. 5. Control test: repeat with `allow-once` — a second approval event fires, denial returns HTTP 400, no marker file created. # Impact - Arbitrary command execution with the GoClaw process's host privileges after a single BusyBox approval - Workspace file read/write and tampering - Credential, config, source, or token extraction from the host environment - Follow-on system compromise depending on deployment context
Quelle⚠️ https://github.com/nextlevelbuilder/goclaw/issues/1212
Benutzer
 Erichen (UID 98955)
Einreichung12.06.2026 10:39 (vor 1 Monat)
Moderieren17.07.2026 17:57 (1 month later)
StatusAkzeptiert
VulDB Eintrag379828 [nextlevelbuilder GoClaw bis 3.13.2 WebSocket Approval Endpoint exec_approval.go RequestApproval erweiterte Rechte]
Punkte20

Might our Artificial Intelligence support you?

Check our Alexa App!