# Vulnerability Summary: Unauthenticated Log Subscription and Command Injection in GoClaw Heartbeat Execution Flow ## Vulnerability Overview **Title**: Critical: Unauthenticated log subscription and command injection in heartbeat execution flow #866 **Severity**: Critical (CVSS 3.1 Score: 10.0) **Type**: Unauthenticated Remote Code Execution (RCE) **Core Logic**: The Gateway in GoClaw has a flaw in its authentication logic. When a client connects, if the provided Bearer Token is invalid, expired, or missing, the server does not reject the connection but silently falls back to an “unauthenticated context.” Meanwhile, the RBAC permission engine adopts a default-allow policy for unclassified RPC methods. This allows an attacker to access specific interfaces without credentials and inject malicious commands via the heartbeat execution flow. ## Impact Scope **Affected Components**: * Gateway/Connect (Authentication Interceptor / Middleware) * Authorization/RBAC (Permission Policy Engine) * ApiChannels/Instances (Instance Listing RPC) * ApiLogs (Log Streaming RPC) * Heartbeat/Runner (Heartbeat Execution Engine) **Attack Path**: 1. Establish a “degraded” view session (no valid credentials required). 2. List all registered agents and obtain their UUIDs. 3. Inject malicious content into the `heartbeat.checklist.set` endpoint to confirm liveness. 4. Trigger the Heartbeat Runner, injecting attacker-controlled `prompt/checklist` content into the agent’s execution context (specifically `HEARTBEAT.md`). 5. Leverage the agent’s `exec tool` capability (if enabled) to achieve arbitrary command execution on the underlying host. ## Remediation Plan 1. **Reject Unauthenticated Connections (Critical)**: Modify the Connect Interceptor to strictly close the connection or return an unauthenticated status; do not fall back to a default view context. 2. **Enforce Default Deny (Critical)**: Change the RBAC policy to default deny. RPC methods must be explicitly marked as allowed unless they are intentionally public. 3. **Authorize Heartbeat Scope**: Heartbeat write operations (`heartbeat.set`) must be restricted to `agentwrite` or `admin` scopes; view roles must not have access. 4. **Input Sanitization**: The Heartbeat Runner should treat content from the heartbeat service as untrusted data, executing it in a sandboxed environment or strictly validating prompts. 5. **Mask Sensitive Identifiers**: The `channels.instances.list` endpoint should return non-sensitive Alias or Fingerprint instead of internal UUIDs. ## POC Code/Exploit Code ```json { "heartbeat_prompt/checklist written by viewer": "heartbeat.list.triggered", "execution_prompt": { "index": "test-completed", "format": { "type": "event", "agent": "test-agent", "payload": { "type": "test-completed", "result": "test-agent", "payload": { "content": "echo 'test-agent' > /tmp/test-agent && echo 'test-agent' >> /tmp/test-agent", "echo_creation_tokens": 0, "echo_read_tokens": 0, "completion_tokens": 0, "group_tokens": 0, "total_tokens": 1615 }, "channel": "heartbeat", "sensitivity": "public" } } }, "cleanup_applied": "prompt/checklist cleared, webhook=false" } ```