| 标题 | zevorn rt-claw unreleased post-v0.2.0 (36d128f) Incorrect Authorization (CWE-863) |
|---|
| 描述 | # Technical Details
An Incorrect Authorization vulnerability exists in the swarm RPC receiver in `claw/services/swarm/swarm.c` of rt-claw.
The application fails to enforce `CLAW_TOOL_LOCAL_ONLY` tool flags on the inbound swarm RPC receiver path. The `handle_rpc_request()` function accepts unauthenticated UDP RPC packets, resolves the attacker-supplied `tool_name`, parses the JSON payload, and directly invokes `claw_tool_invoke()` without checking whether the tool is flagged local-only. This allows a remote attacker to invoke `save_memory`, `list_memories`, and `delete_memory` — tools explicitly registered with `.flags = CLAW_TOOL_LOCAL_ONLY` in `claw/services/tools/system.c`. Attacker-controlled key/value data is persisted into the long-term memory store at `~/.config/rt-claw/kv/claw_ltm/`.
# Vulnerable Code
File: claw/services/swarm/swarm.c (lines 301–339)
Method: handle_rpc_request()
Why: The receiver path calls `claw_tool_invoke(tool, invoke_params, result)` without checking `tool->flags & CLAW_TOOL_LOCAL_ONLY`. The sender helper `swarm_rpc_call()` at lines 477–480 does implement this check, but a raw UDP attacker bypasses it entirely. Affected tools are registered in `claw/services/tools/system.c` lines 452–486 with `.flags = CLAW_TOOL_LOCAL_ONLY`.
# Reproduction
1. Build rt-claw for Linux with `-Dosal=linux -Dswarm=true -Dtool_system=true`
2. Start the rtclaw binary listening on UDP port 5300
3. Send a forged swarm RPC packet with `tool_name="save_memory"` and payload `{"key":"swarm_canary","value":"GHSA-canary"}`
4. Observe RPC response returns `status=0` with `"saved: swarm_canary = GHSA-canary"`
5. Send a second packet with `tool_name="list_memories"` — the persisted entry is visible in the response
6. Run control with a nonexistent tool — returns `"tool not found on this node"` with no persistence
# Impact
- Unauthenticated remote attacker can save, list, and delete long-term memory entries
- Planted memories are fed into future AI context, allowing persistent influence over model behavior
- Attacker-controlled data survives process restarts (persisted to disk KV store)
- Same receiver-side gap applies to all CLAW_TOOL_LOCAL_ONLY tools in the build |
|---|
| 来源 | ⚠️ https://github.com/zevorn/rt-claw/issues/135 |
|---|
| 用户 | Eric-y (UID 95889) |
|---|
| 提交 | 2026-06-12 11時37分 (1 月前) |
|---|
| 管理 | 2026-07-17 18時08分 (1 month later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 379838 [zevorn rt-claw 直到 0.2.0 Swarm RPC Receiver swarm.c handle_rpc_request 权限提升] |
|---|
| 积分 | 20 |
|---|