Enviar #856873: zevorn rt-claw 0.2.0 Server-Side Request Forgery (CWE-918)información

Títulozevorn rt-claw 0.2.0 Server-Side Request Forgery (CWE-918)
Descripción# Technical Details A Server-Side Request Forgery vulnerability exists in the swarm RPC receiver path of rt-claw v0.2.0. The application accepts unauthenticated UDP swarm RPC requests that can invoke the `http_request` tool with attacker-controlled JSON parameters. The `receiver_thread()` in `claw/services/swarm/swarm.c` dispatches incoming RPC packets to `handle_rpc_request()`, which parses the attacker-controlled JSON payload and forwards it directly into `claw_tool_invoke()` without any authorization or destination policy validation. When the attacker supplies `tool_name="http_request"` and a `url` pointing to `127.0.0.1`, the tool passes that URL through `claw_net_get()` → libcurl → the internal endpoint, and the response body is exfiltrated in the RPC reply. There is no loopback/private-range rejection, no resolved-address pinning, and no redirect re-validation. # Vulnerable Code File: claw/services/swarm/swarm.c (lines 320–325) Method: handle_rpc_request() → claw_tool_invoke() Why: The function parses `cJSON_Parse(req->payload)` and calls `claw_tool_invoke(tool, invoke_params, result)` with no authorization gate. The tool path at `claw/tools/tool_net.c` lines 402–450 forwards the URL to `claw_net_get()`, and the Linux sink at `osal/linux/claw_net_linux.c` lines 115–126 uses `curl_easy_setopt(curl, CURLOPT_URL, url)` without destination validation. # Reproduction 1. Build rt-claw v0.2.0 for Linux with `-Dosal=linux -Dtool_net=true -Dswarm=true` 2. Start the rtclaw binary on UDP port 5300 and a loopback canary HTTP server on `127.0.0.1` 3. Send a forged swarm RPC packet with `tool_name="http_request"` and `url="http://127.0.0.1:<port>/secret"` 4. Observe canary server logs `canary hit path=/secret peer=127.0.0.1` 5. RPC response contains `"body":"secret_fa27a6f97541569e"` — the secret content is exfiltrated 6. Run control: request `/public` only — the `/secret` path is never accessed # Impact - Unauthenticated remote attacker can use the device as an HTTP pivot to read loopback-only services - Non-blind SSRF: response bodies are exfiltrated over the same RPC channel - Enables probing internal HTTP services, retrieving tokens, configuration data, debug endpoints, and metadata services - Any deployment exposing swarm RPC to untrusted peers on Linux is affected
Fuente⚠️ https://github.com/zevorn/rt-claw/issues/140
Usuario
 Eric-y (UID 95889)
Sumisión2026-06-12 11:40 (hace 1 mes)
Moderación2026-07-17 18:09 (1 month later)
EstadoAceptado
Entrada de VulDB379840 [zevorn rt-claw hasta 0.2.0 http_request swarm.c receiver_thread escalada de privilegios]
Puntos20

Might our Artificial Intelligence support you?

Check our Alexa App!