AI Security AI安全 9h ago Updated 4h ago 更新于 4小时前 51

Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws 研究人员详述利用OpenClaw三个漏洞的WhatsApp到主机攻击链

Three high-severity vulnerabilities in OpenClaw allow attackers to bypass security controls, leading to credential theft, privilege escalation, and arbitrary code execution. The flaws include OS command injection due to incomplete input filtering and a path traversal vulnerability that enables sandbox escape via parent directory bypass. Exploitation chain allows remote code execution triggered by external messages (e.g., via WhatsApp) without requiring prior foothold. All issues were patched in OpenClaw AI助手存在三个已修复的高危漏洞,可导致凭证窃取、权限提升及宿主机任意代码执行。 攻击者可通过WhatsApp外部消息触发“WhatsApp-to-Host”攻击链,无需预先在目标系统建立立足点。 核心缺陷包括OS命令注入及沙箱绑定挂载的路径遍历绕过,允许攻击者访问敏感目录如~/.ssh和Docker Socket。 研究人员Chinmohan Nayak披露了利用父目录挂载绕过子目录黑名单的具体技术细节。 官方建议升级至v2026.6.6,并强化沙箱模式、收紧工具白名单及监控异常git命令以缓解风险。

75
Hot 热度
70
Quality 质量
72
Impact 影响力

Analysis 深度分析

TL;DR

  • Three high-severity vulnerabilities in OpenClaw allow attackers to bypass security controls, leading to credential theft, privilege escalation, and arbitrary code execution.
  • The flaws include OS command injection due to incomplete input filtering and a path traversal vulnerability that enables sandbox escape via parent directory bypass.
  • Exploitation chain allows remote code execution triggered by external messages (e.g., via WhatsApp) without requiring prior foothold.
  • All issues were patched in OpenClaw version 2026.6.6, with recommendations to enforce strict sandboxing and narrow tool allowlists.

Why It Matters

This incident highlights critical risks in integrating AI assistants with messaging platforms and host systems, demonstrating how seemingly isolated sandbox environments can be compromised through logic flaws in path validation. For AI practitioners and security teams, it underscores the necessity of rigorous input sanitization and defense-in-depth strategies when exposing AI tools to untrusted external inputs.

Technical Details

  • Command Injection (CVSS 8.8): Two separate CVEs (GHSA-hjr6-g723-hmfm and GHSA-9969-8g9h-rxwm) stem from an incomplete denylist of disallowed inputs, allowing attackers to inject OS commands that execute beyond intended authorization levels.
  • Path Traversal & Sandbox Escape (CVSS 8.4): GHSA-575v-8hfq-m3mc exploits a logic error where getBlockedReasonForSourcePath() checks if a source is under a blocked path but fails to check if a blocked path is under the source. This allows mounting parent directories (e.g., /home or /var) to access sensitive files like SSH keys, AWS credentials, or the Docker socket.
  • Exploitation Vector: Security researcher Chinmohan Nayak demonstrated that these vulnerabilities can be chained to execute host code directly from a WhatsApp message, bypassing the need for initial access.
  • Mitigation: Patching to version 2026.6.6 is required. Additional hardening includes enabling sandbox mode for non-main sessions, removing "exec" from tool allowlists for channel-facing agents, and monitoring for abuse of external protocol helpers like ext::.

Industry Insight

  • Zero-Trust for AI Agents: Developers must assume that any interface exposed to external channels (like WhatsApp) is potentially hostile. Strict isolation between user inputs and host execution environments is non-negotiable.
  • Defense in Depth: Relying solely on denylists for security is insufficient. Implementing allowlists, validating path relationships bidirectionally, and minimizing the attack surface by disabling unnecessary features are essential practices.
  • Supply Chain & Configuration Risks: The ease of escaping a sandbox via misconfigured bind mounts suggests that many AI applications may have similar latent vulnerabilities. Regular audits of container configurations and permission models are critical for securing AI deployments.

TL;DR

  • OpenClaw AI助手存在三个已修复的高危漏洞,可导致凭证窃取、权限提升及宿主机任意代码执行。
  • 攻击者可通过WhatsApp外部消息触发“WhatsApp-to-Host”攻击链,无需预先在目标系统建立立足点。
  • 核心缺陷包括OS命令注入及沙箱绑定挂载的路径遍历绕过,允许攻击者访问敏感目录如~/.ssh和Docker Socket。
  • 研究人员Chinmohan Nayak披露了利用父目录挂载绕过子目录黑名单的具体技术细节。
  • 官方建议升级至v2026.6.6,并强化沙箱模式、收紧工具白名单及监控异常git命令以缓解风险。

为什么值得看

本文揭示了个人AI助手在集成外部通信渠道时面临的严重安全边界突破风险,展示了从应用层到宿主机的完整攻击路径。对于AI安全从业者和部署本地AI代理的组织而言,理解此类沙箱逃逸机制及配置错误导致的权限提升至关重要,有助于制定更严格的访问控制策略。

技术解析

  • 漏洞详情:包含两个CVSS评分为8.8的命令注入漏洞(GHSA-hjr6-g723-hmfm, GHSA-9969-8g9h-rxwm)和一个CVSS评分为8.4的路径遍历漏洞(GHSA-575v-8hfq-m3mc)。前两者涉及执行环境过滤机制不完整,后者允许绕过父目录拒绝列表检查。
  • 沙箱逃逸机制:通过绑定挂载父目录(如/home/var)而非受保护的子目录,攻击者可读取SSH密钥、AWS凭证及GPG秘密。挂载/var可获取Docker Socket,从而实现从容器内完全逃逸至宿主机。
  • 攻击向量:不同于需要前置立足点的Claw Chain漏洞,新漏洞允许通过WhatsApp发送的外部消息直接触发宿主机代码执行,实现了从即时通讯到操作系统的无接触攻击链。
  • 修复与缓解:漏洞已在OpenClaw v2026.6.6中修复。临时缓解措施包括为非主会话启用沙箱模式、从面向渠道的代理工具允许列表中移除“exec”,以及监控包含“ext::”协议的git clone命令。

行业启示

  • AI代理的安全配置重于算法能力:本地AI助手若缺乏严格的输入验证和最小权限原则,极易成为攻击者渗透内部网络的跳板,需将安全配置视为核心功能而非附加项。
  • 通信渠道集成的风险放大效应:将AI代理接入WhatsApp等外部不可信渠道时,必须假设所有输入均为恶意,需实施更深层的沙箱隔离和协议级过滤,防止跨通道攻击。
  • 防御纵深策略的必要性:单一的安全机制(如路径黑名单)容易被绕过,应结合动态监控、严格的白名单机制及定期审计,构建多层防御体系以应对复杂的攻击链。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全 Open Source 开源 Agent Agent