Clash Verge Local Privilege Escalation Vulnerability via Unauthorized HTTP API
Vulnerability
A local privilege escalation vulnerability has been identified in Clash Verge versions through 2.2.3. The issue arises from the default installation of the clash-verge-service, which runs with elevated privileges and exposes an unauthorized HTTP API endpoint, '/start_clash'. This endpoint allows local users to send arbitrary 'bin_path' parameters that are executed by the service, leading to unauthorized access to system resources.
Impact
Exploitation of this vulnerability allows for local privilege escalation, with the potential for arbitrary command execution under certain conditions.
Reproduction
The vulnerability can be reproduced by sending an unauthenticated POST request to the '/start_clash' endpoint on '127.0.0.1:33211'. The request must include a JSON payload that specifies a 'bin_path' pointing to a malicious script, along with other parameters that the service process will use. Once the request is processed, the specified script is executed with elevated privileges, allowing the user to escalate privileges on the system.
Remediation
Users are advised to update to the latest version of Clash Verge.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.