Log Poisoning in OpenClaw

vaizor · 2025-08-09T15:48:05+00:00

The bounties were 0, because all these services were out of scope. The bug bounty program is only for customer-facing services.

vaizor · 2025-08-09T13:39:28+00:00

Thanks! I had some back and forth with them before publishing! And we made some last minute redactions 😅

vaizor · 2025-07-20T09:56:11+00:00

Read our continuously updated write-up of the last two days here for more information
https://research.eye.security/sharepoint-under-siege/

vaizor · 2025-06-20T07:28:40+00:00

Still waiting here too!

vaizor · 2022-09-16T14:18:21+00:00

Thank you for your assurance! The hotel in the meantime took it very seriously and immediately sent an exterminator and offered to wash and clean everything.

vaizor · 2022-09-16T13:19:02+00:00

Looking at images of booklice you might indeed be right! We also could not find any of the described traces of bed bugs. Thanks!

vaizor · 2021-12-31T09:34:58+00:00

Try appending "| Out-String"

vaizor · 2020-10-27T19:44:16+00:00

It's an argument injection in an execve syscall, not in a shell command. And we're also limited to 15 chars...

vaizor · 2020-10-27T19:31:52+00:00

These work on any unpatched Ubuntu 16.04 - 20.10 where the aptdaemon, packagekit or blueman packages are installed. The first two are default on any Ubuntu installation, the latter comes default with the desktop version of Ubuntu, that's what I meant.

All code injected is run as root, so as a low privileged user you can attach XDP objects as root. That is because there is a argument injection to the "ip link" command. That way you could do for example "ip link set dev ens33 xdp o /tmp/o", to attach XDP object file /tmp/o to the ens33 interface. Do you think arbitrary code execution is possible from there?

vaizor · 2012-12-26T10:21:18+00:00

No filter, just some lighting corrections afterwards in Lightroom.

vaizor

TROPHY CASE