GHSA-VFFC-F7R7-RX2W: Systemd Unit Injection in OpenClaw Enables Local Command Execution

The OpenClaw infrastructure tool contains a systemd unit injection vulnerability (CWE-93: Improper Neutralization of CRLF Sequences) in its daemon management component. OpenClaw dynamically generates systemd unit files (.service) to manage background processes. The vulnerability arises because the application constructs these files by concatenating user-supplied strings—specifically environment variable keys, values, and service descriptions—without adequate sanitization of control characters.

Systemd unit files rely on line-delimited syntax, where a newline character signifies the end of one directive and the start of another. By injecting carriage return (\r) or line feed (\n) characters into an input field, an attacker can prematurely terminate a legitimate configuration line and inject a new, arbitrary directive. This allows for the manipulation of the service's execution flow, environment, or security controls. The impact is critical: if an attacker successfully injects an ExecStart or ExecStartPre directive, they achieve arbitrary code execution whenever the service is managed by systemd.

The vulnerability stems from two distinct failures in src/daemon/systemd-unit.ts. First, the buildSystemdUnit function treats user inputs as trusted strings, directly interpolating them into the unit file template. There is no validation to ensure these inputs do not contain newline characters, which are semantically significant in the systemd configuration format.

Second, the helper function systemdEscapeArg, intended to sanitize arguments, utilized a flawed regular expression logic. The original implementation used the regex /[\\s"\\\\]/. In the specific JavaScript execution context used by OpenClaw, the double-escaped backslash sequence [\\s] was interpreted literally as a backslash followed by the letter 's', rather than the intended whitespace character class \s. Consequently, arguments containing spaces or tabs were not properly detected or escaped. This failure in the escaping logic, combined with the lack of CRLF neutralization, creates a robust vector for injection attacks where an attacker can bypass the intended structure of the service file.

The remediation addresses the improper sanitization by enforcing strict escaping of control characters and correcting the flawed regex. Below is an analysis of the vulnerable logic versus the patched implementation.

Vulnerable Code Logic (Conceptual): The original code likely concatenated the environment strings directly. Note the lack of newline filtering:

// src/daemon/systemd-unit.ts (Vulnerable)
function buildSystemdUnit(config) {
  let unitContent = "[Service]\n";
  // Input is interpolated directly. If envValue contains \n, it breaks the file structure.
  unitContent += `Environment="${config.envKey}=${config.envValue}"\n`;
  return unitContent;
}

Patched Code Logic: The fix, implemented in commit 61f646c41fb43cd87ed48f9125b4718a30d38e84, introduces proper escaping mechanisms. It likely validates that keys do not contain control characters and escapes values according to systemd syntax (using \x sequences or quoting) while correctly identifying whitespace.

// src/daemon/systemd-unit.ts (Fixed)
function systemdEscapeArg(arg: string) {
  // Corrected regex to properly identify whitespace and special chars
  // Prior regex `/[\\s"\\\\]/` was flawed; fixed version correctly targets whitespace
  if (!/[\s"\\]/.test(arg)) return arg;
  
  // Implementation of proper escaping logic
  return "\"" + arg.replace(/(["\\])/g, "\\$1") + "\"";
}
 
// When building the unit, newlines are explicitly rejected or escaped

> [!NOTE] > The patch ensures that even if a user provides input like foo\nbar, it is treated as a literal string within a quoted value, preventing the parser from interpreting bar as a new directive.

Exploitation requires the attacker to influence the configuration or environment variables OpenClaw uses to generate the service file. This could occur via a malicious plugin, a compromised configuration file, or a low-privileged user interface that allows setting environment variables for the daemon.

Attack Scenario:

1. Target: The Environment directive in the generated unit file.
2. Payload: An attacker sets an environment variable named INJECT with the value:

   ok
   ExecStartPre=/bin/bash -c 'echo pwned > /tmp/hacked'

3. Injection: When OpenClaw generates the file, it writes:

   Environment=INJECT=ok
   ExecStartPre=/bin/bash -c 'echo pwned > /tmp/hacked'

Outcome: Systemd parses Environment=INJECT=ok as a valid assignment. It then encounters ExecStartPre=... on a new line, treating it as a legitimate service instruction. When the service is next started or restarted (e.g., via systemctl start openclaw), systemd executes the injected command. Since systemd services often run with elevated privileges (root) or the specific user of the daemon, this results in Local Command Execution (LCE) with those privileges.

The impact of this vulnerability is rated High due to the potential for privilege escalation and persistence.

• Privilege Escalation: If the OpenClaw daemon is configured to run as root (common for infrastructure management tools) or a dedicated system user, the attacker gains code execution with those privileges. This effectively compromises the host system.
• Persistence: Systemd unit files are persistent configuration artifacts. The injected command will execute every time the service starts, effectively acting as a persistence mechanism until the unit file is manually cleaned or regenerated.
• Scope: This affects any Linux system using systemd where OpenClaw is installed and allows untrusted input to influence service generation logic.

CVSS Vector Breakdown:

• AV:L (Local): The attacker needs local access or a way to influence local configuration.
• PR:L (Low Privileges): Requires basic access to feed input to OpenClaw.
• UI:R (Required): An admin must restart or reload the service for the new unit file to take effect (though OpenClaw often automates this).
• C/I/A:H (High): Full loss of Confidentiality, Integrity, and Availability for the affected service context.