背景
Clash For windows 是一款优秀的开源项目,最近爆出存在RCE漏洞,https://github.com/Fndroid/clash_for_windows_pkg/issues/2710。
遂决定尝试对其XSS TO RCE的过程进行分析 ,主要是XSS的分析 , 由于做了混淆,且涉及很多Vue核心函数调用,分析相当的难顶。
无论如何,总算是分析出整个调用过程的全貌,包括旧版本0.19.8是为什么会存在问题, 而新版本0.19.9是如何防御修复这个问题的。
由于某些原因,细节不做展开.
业务层到Vue核心调用逻辑分析
附录
0.19.8 RCE Call Stack
onerror (index.html:1)
error (async)
Kn (renderer.js:formatted:43528) cbs.create[i](emptyNode, vnode)
v (renderer.js:formatted:43907) invokeCreateHooks (vnode, insertedVnodeQueue)
h (renderer.js:formatted:43879)
f (renderer.js:formatted:43896)
h (renderer.js:formatted:43878)
f (renderer.js:formatted:43896) insert(parentElm, vnode.elm, refElm)
h (renderer.js:formatted:43878) createElm (vnode,insertedVnodeQueue, parentElm,refElm,nested,ownerArray,index)
(anonymous) (renderer.js:formatted:44059) patch (oldVnode, vnode, hydrating, removeOnly)
_update (renderer.js:formatted:42772) function lifecycleMixin (Vue) -> Vue.prototype._update = function (vnode, hydrating)
e (renderer.js:formatted:44433) Vue.prototype.$mount = function ( -> function mountComponent ( --》 vm._update(vm._render(), hydrating);
ri.get (renderer.js:formatted:42387)
get () {
pushTarget(this)
let value
const vm = this.vm
try {
value = this.getter.call(vm, vm) ---> Vue.prototype.$mount
} catch (e) {
if (this.user) {
handleError(e, vm, `getter for watcher "${this.expression}"`)
} else {
throw e
}
} finally {
// "touch" every property so they are all tracked as
// dependencies for deep watching
if (this.deep) {
traverse(value)
}
popTarget()
this.cleanupDeps()
}
return value
}
ri (renderer.js:formatted:42380)
Ci.$mount (renderer.js:formatted:44436)
Ci.$mount (renderer.js:formatted:45552)
init (renderer.js:formatted:42009)
(anonymous) (renderer.js:formatted:43858)
h (renderer.js:formatted:43874)
f (renderer.js:formatted:43896)
h (renderer.js:formatted:43878)
f (renderer.js:formatted:43896)
h (renderer.js:formatted:43878)
(anonymous) (renderer.js:formatted:43990)
C (renderer.js:formatted:43993)
(anonymous) (renderer.js:formatted:44063)
_update (renderer.js:formatted:42772)
e (renderer.js:formatted:44433)
ri.get (renderer.js:formatted:42387)
ri.run (renderer.js:formatted:42441)
ni (renderer.js:formatted:42324)
(anonymous) (renderer.js:formatted:41609)
Xe (renderer.js:formatted:41602)
Promise.then (async)
$e (renderer.js:formatted:41627)
Qe (renderer.js:formatted:41618)
(anonymous) (renderer.js:formatted:42434)
ri.update (renderer.js:formatted:42436)
de.notify (renderer.js:formatted:41200)
set (renderer.js:formatted:41342)
si.set (renderer.js:formatted:42478)
handleItemSelect (renderer.js:formatted:128225)
click (renderer.js:formatted:128267)
We (renderer.js:formatted:41574)
i (renderer.js:formatted:41687)
t._wrapper (renderer.js:formatted:43459)
原文始发于微信公众号(Art Of Hunting):[AOH 011]ClashForWindows RCE链 深析