8421bit MiniClaw OS Command Injection Vulnerability in System Command Handler
Vulnerability
A command injection vulnerability has been identified in 8421bit MiniClaw versions 0.8.0 and 0.9.0. The issue arises in the System Command Handler component, specifically within the 'resolveSkillScriptPath' function in 'src/kernel.ts'. This vulnerability allows for arbitrary OS command execution by manipulating user-controlled arguments, which are improperly sanitized before being executed in a system shell.
Impact
Exploitation of this vulnerability allows for remote, unauthenticated execution of arbitrary commands on the host system, potentially leading to a complete takeover of the server, unauthorized data deletion, or the installation of malware.
Reproduction
The vulnerability can be reproduced by using the 'executeSkillScript' function. Inject a payload that breaks out of the argument quotes and executes a command, such as removing files or directories.
Remediation
Users are advised to update to the patched version of MiniClaw, which is available on the project's GitHub repository.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.