제출 #856873: zevorn rt-claw 0.2.0 Server-Side Request Forgery (CWE-918)정보

제목zevorn rt-claw 0.2.0 Server-Side Request Forgery (CWE-918)
설명# Technical Details A Server-Side Request Forgery vulnerability exists in the swarm RPC receiver path of rt-claw v0.2.0. The application accepts unauthenticated UDP swarm RPC requests that can invoke the `http_request` tool with attacker-controlled JSON parameters. The `receiver_thread()` in `claw/services/swarm/swarm.c` dispatches incoming RPC packets to `handle_rpc_request()`, which parses the attacker-controlled JSON payload and forwards it directly into `claw_tool_invoke()` without any authorization or destination policy validation. When the attacker supplies `tool_name="http_request"` and a `url` pointing to `127.0.0.1`, the tool passes that URL through `claw_net_get()` → libcurl → the internal endpoint, and the response body is exfiltrated in the RPC reply. There is no loopback/private-range rejection, no resolved-address pinning, and no redirect re-validation. # Vulnerable Code File: claw/services/swarm/swarm.c (lines 320–325) Method: handle_rpc_request() → claw_tool_invoke() Why: The function parses `cJSON_Parse(req->payload)` and calls `claw_tool_invoke(tool, invoke_params, result)` with no authorization gate. The tool path at `claw/tools/tool_net.c` lines 402–450 forwards the URL to `claw_net_get()`, and the Linux sink at `osal/linux/claw_net_linux.c` lines 115–126 uses `curl_easy_setopt(curl, CURLOPT_URL, url)` without destination validation. # Reproduction 1. Build rt-claw v0.2.0 for Linux with `-Dosal=linux -Dtool_net=true -Dswarm=true` 2. Start the rtclaw binary on UDP port 5300 and a loopback canary HTTP server on `127.0.0.1` 3. Send a forged swarm RPC packet with `tool_name="http_request"` and `url="http://127.0.0.1:<port>/secret"` 4. Observe canary server logs `canary hit path=/secret peer=127.0.0.1` 5. RPC response contains `"body":"secret_fa27a6f97541569e"` — the secret content is exfiltrated 6. Run control: request `/public` only — the `/secret` path is never accessed # Impact - Unauthenticated remote attacker can use the device as an HTTP pivot to read loopback-only services - Non-blind SSRF: response bodies are exfiltrated over the same RPC channel - Enables probing internal HTTP services, retrieving tokens, configuration data, debug endpoints, and metadata services - Any deployment exposing swarm RPC to untrusted peers on Linux is affected
원천⚠️ https://github.com/zevorn/rt-claw/issues/140
사용자
 Eric-y (UID 95889)
제출2026. 06. 12. AM 11:40 (1 월 ago)
모더레이션2026. 07. 17. PM 06:09 (1 month later)
상태수락
VulDB 항목379840 [zevorn rt-claw 까지 0.2.0 http_request swarm.c receiver_thread 권한 상승]
포인트들20

Do you want to use VulDB in your project?

Use the official API to access entries easily!