Одна компания в России решила внедрить дырявых ботов

Это не пропаганда ЛГБТ, они просто дырявые и это факт

дальше надеюсь Ынжинеры сей чудесной конторы узнают свои творения (к вам притензий нет, вам менеджмент сказал, вы сказал Можем)

Responsible Disclosure: Critical Vulnerability in OpenClaw (C****.ru Marketplace)

To: C****.ru Security Team / C**** Evolution Team
From: SENTINEL Strike Force (Red Team)
Date: 2026-02-06
Severity: CRITICAL (9.8 CVSS)
Impact: Remote Code Execution (RCE), Cloud Identity Theft
Reference: CVE-2026-25253 (Moltbit/OpenClaw RCE)

1. Executive Summary

We have identified a critical risk in the OpenClaw image on the C****.ru Marketplace.
REAL DATA: Public OSINT sources (Shodan, Hunt.io) confirm thousands of instances exposed globally on Port 18789 due to the default 0.0.0.0 binding used in Docker templates.
Users deploying this image on Evolution Free Tier (which defaults to permissive Security Groups) are compromised immediately.

2. Technical Evidence (OSINT & Replication)

A. The "Port 18789" Exposure

• Fact: OpenClaw binds its unauthenticated Admin API to 0.0.0.0:18789 by default.

• Evidence: Shodan queries for port:18789 reveal operational dashboards accessible from the public internet.

• Impact: Any user deployment without a custom Firewall Policy is fully exposed.

B. Confirmed Exploitation Path

1. Recon: Attacker scans C****.ru IP ranges for Port 18789.

2. Access: GET /dashboard returns the Admin UI (No Auth).

3. RCE: POST /api/exec allows running curl or bash scripts.

4. Cloud Breakout: curl 169.254.169.254 retrieves IAM Metadata credentials (stolen cloud identity).

3. Verification Protocol (For C****.ru Team)

Do not rely on simulation. Verify this on your own platform:

1. Deploy a new OpenClaw instance from your Marketplace.

2. Run: curl -I http://[INSTANCE_IP]:18789/

3. Expected Result: HTTP 200 OK (Admin Panel).

4. Safe Result: Connection Refused (Required outcome).

4. Remediation Steps (Mandatory Fixes)

1. Update Default Config (Critical)

Change docker-compose.yml binding:

ports:
  - "127.0.0.1:18789:18789" # WAS 0.0.0.0:18789

2. Default Security Group

Ensure the Marketplace template applies a strict Security Group:

• Ingress: Allow SSH (22) ONLY.

• Block: ALL other inbound TCP.

3. Warning Banner

Add a disclaimer: "This image is for Localhost Use via SSH Tunnel only. Do not expose to Public IP."

---

Appendix: Technical Artifacts (For Verification)

A. Discovery Dorks (OSINT)

Security teams can identify vulnerable assets using these signatures:

• Shodan: port:18789 product:"Moltbot" http.title:"Dashboard"

• Censys: services.port: 18789 AND services.http.response.body: "gatewayUrl"

• Hunt.io: product.name:"OpenClaw" protocol:"http" port:18789

B. Fingerprinting (HTTP Headers)

A vulnerable instance typically returns:

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Access-Control-Allow-Origin: *
Server: Moltbot-Gateway/1.2.9
Date: Fri, 06 Feb 2026 10:00:00 GMT
Content-Length: 452

Note: The Access-Control-Allow-Origin: * header confirms the CSRF vulnerability.

C. Configuration Leak (JSON Sample)

Requesting GET /api/config on an exposed instance returns critical infrastructure details:

{
  "gatewayUrl": "ws://хх.128.0.5:18789",
  "agentId": "agent-8f2a1...",
  "permissions": {
    "exec": true,
    "filesystem": true
  },
  "llmProvider": "openai",
  "version": "1.2.9"
}

Generated by SENTINEL Strike Force.

Дети, не ходите в Африку гулять, ну и не используйте этого бота, ну если очень хотите, то настоятельно рекомендую со мной связаться, чтобы я его под ваши нужды сделал безопасным.

Вы делаете ваших клиентов уязвимыми нереально небезопасными в интернете.