Description

A deep security audit of the OpenClaw codebase revealed several vulnerabilities that could lead to Remote Code Execution (RCE), Privilege Escalation, and Command Injection, particularly on Windows systems.

Identified Vulnerabilities

1. Insecure Default Tool Policies (Critical)

   • Issue: The system defaults to allowing all tools (including exec) if no specific policy is defined for a user or group.
   • Impact: Untrusted users on messaging platforms could execute arbitrary commands if the operator hasn't explicitly configured a restrictive policy.

2. Privilege Escalation via Session Directives (High)

   • Issue: Directives like /exec host=gateway were being parsed and persisted in the session state even if the sender was not authorized to execute them.
   • Impact: Unauthorized users could potentially influence the execution environment of subsequent legitimate commands.

3. Command Injection on Windows (High)

   • Issue: The runCommandWithTimeout function used shell: true implicitly for non-executable files on Windows.
   • Impact: Attackers could inject shell metacharacters into command arguments, leading to arbitrary command execution on the host Windows machine.

4. Insecure Trusted Proxy Configuration (Medium)

   • Issue: Using auth.mode = 'trusted-proxy' without defining trustedProxies allows any client to spoof identity headers.
   • Impact: Identity theft and unauthorized access to the Gateway.

Proposed Fixes

The fixes for these issues have been implemented in Pull Request #16320.

• Changed default tool policy to "Deny-All".
• Explicitly clear unauthorized directives during parsing.
• Disabled implicit shell on Windows and used cmd.exe /c specifically for batch files with verbatim arguments.
• Added audit checks for trusted-proxy misconfigurations.