| शीर्षक | zevorn rt-claw 36d128f72afa0b9d40a21bcd6069b0c193a58f82 (unreleased main, post-v0.2.0) Incorrect Authorization leading to Remote Code Execution (CWE-863) |
|---|
| विवरण | # Technical Details
An Incorrect Authorization vulnerability exists in the `handle_rpc_request` method in `claw/services/swarm/swarm.c` of rt-claw.
The application fails to enforce the `CLAW_TOOL_LOCAL_ONLY` policy on the swarm RPC receiver path. A remote node can send a crafted UDP RPC request with `tool_name="run_script"` and attacker-controlled JSON, and the receiver directly invokes the tool even though `run_script` is explicitly marked local-only.
# Vulnerable Code
File: claw/services/swarm/swarm.c
Method: handle_rpc_request
Why: The receiver parses the inbound payload and calls `claw_tool_invoke()` without checking the target tool flags, while the sender helper `swarm_rpc_call()` does enforce the local-only restriction. On Linux, this reaches `tool_run_script_execute` and `claw_platform_run_script`, which execute Python code.
# Reproduction
1. Download `verification_test.py` and `control-normal-behavior.py` from the issue-linked gists.
2. Build the Linux target with swarm and `run_script` enabled, then run the control script first.
3. Run `python3 verification_test.py` and observe that an unauthenticated swarm RPC request invokes `run_script` and reaches Python execution on the node.
# Impact
- An unauthenticated remote node can bypass local-only tool restrictions.
- On Linux deployments with `tool_script` enabled, this leads to arbitrary Python execution in the context of the `rtclaw` process. |
|---|
| स्रोत | ⚠️ https://github.com/zevorn/rt-claw/issues/133 |
|---|
| उपयोगकर्ता | Eric-x (UID 94869) |
|---|
| सबमिशन | 13/06/2026 05:06 AM (1 महीना पहले) |
|---|
| संयम | 18/07/2026 09:29 AM (1 month later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 380016 [zevorn rt-claw तक 0.2.0 RPC swarm.c claw_tool_invoke अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|