search

AUK9527 / Are-u-ok

7.88k stars 1.72k forks source link

OpenClash的run文件可能存在后门 #180

Closed q514849152 closed 1 month ago

q514849152 commented 1 month ago

使用官方原版的iStoreOs安装这个项目的OpenClash.run插件,在配置订阅后的1-10分钟内该订阅地址会被其他电脑订阅,至于还有没有干其他事情不清楚,订阅的IP地址主要集中在江苏。如果使用官方原本的iStoreOs以及原版的OpenClash则不会出现在配置订阅链接后链接会被其他地方的电脑所订阅。大家注意甄别

bcseputetto commented 1 month ago

我只能说想象力很丰富。 本项目的openclash .run 包是由我打包的,并且 .run 包里的内容物如下 一个来自openclash官方项目的 ipk,三个版本clash的内核,以及一个用来安装的脚本 install.sh。 以下是验证 .run包里解压出来的 openclash ipk的 hash值与从openclash项目下载的ipk的hash值对比。

root@iStoreOS:~# wget https://github.com/AUK9527/Are-u-ok/raw/main/x86/all/OpenClash_0.46.003+x86_64_core.run
--2024-06-03 03:27:11--  https://github.com/AUK9527/Are-u-ok/raw/main/x86/all/OpenClash_0.46.003+x86_64_core.run
Resolving github.com... 20.27.177.113
Connecting to github.com|20.27.177.113|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/AUK9527/Are-u-ok/main/x86/all/OpenClash_0.46.003%2Bx86_64_core.run [following]
--2024-06-03 03:27:11--  https://raw.githubusercontent.com/AUK9527/Are-u-ok/main/x86/all/OpenClash_0.46.003%2Bx86_64_core.run
Resolving raw.githubusercontent.com... 185.199.108.133
Connecting to raw.githubusercontent.com|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 21862953 (21M) [application/octet-stream]
Saving to: 'OpenClash_0.46.003+x86_64_core.run'

OpenClash_0.46.003+x86_64_core.run   100%[=====================================================================>]  20.85M  11.3MB/s    in 1.8s

2024-06-03 03:27:15 (11.3 MB/s) - 'OpenClash_0.46.003+x86_64_core.run' saved [21862953/21862953]

root@iStoreOS:~# sh OpenClash_0.46.003+x86_64_core.run --noexec --target ./openclashrun
Creating directory ./openclashrun
Verifying archive integrity...  100%   MD5 checksums are OK. All good.
Uncompressing luci-app-openclash_with_clash_core  100%
root@iStoreOS:~# cd openclashrun/
root@iStoreOS:~/openclashrun# ll -h
drwx------    2 root     root        4.0K Jun  3 03:27 ./
drwxr-xr-x    1 root     root        4.0K Jun  3 03:27 ../
-rwxr-xr-x    1 seputett 1000        2.8M Sep 12  2023 clash*
-rwxr-xr-x    1 seputett 1000        7.2M Mar  9 04:08 clash_meta*
-rwxr-xr-x    1 seputett 1000        5.4M Jan 31 06:05 clash_tun*
-rwxr-xr-x    1 seputett 1000         305 Mar 12 11:19 install.sh*
-rw-r--r--    1 seputett 1000        5.4M Mar  9 12:29 luci-app-openclash_0.46.003-beta_all.ipk
root@iStoreOS:~/openclashrun# mv luci-app-openclash_0.46.003-beta_all.ipk luci-app-openclash_0.46.003-beta_all_runver.ipk
root@iStoreOS:~/openclashrun# wget https://github.com/vernesong/OpenClash/releases/download/v0.46.003-beta/luci-app-openclash_0.46.003-beta_all.ipk
--2024-06-03 03:29:00--  https://github.com/vernesong/OpenClash/releases/download/v0.46.003-beta/luci-app-openclash_0.46.003-beta_all.ipk
Resolving github.com... 20.27.177.113
Connecting to github.com|20.27.177.113|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/189256120/07561297-0dc7-4e20-a954-b0f493009d84?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240602%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240602T192900Z&X-Amz-Expires=300&X-Amz-Signature=e7db79d47aa0ae7f097661ad239f71f62c02e4f7d7979353920ea398c85f95f2&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=189256120&response-content-disposition=attachment%3B%20filename%3Dluci-app-openclash_0.46.003-beta_all.ipk&response-content-type=application%2Foctet-stream [following]
--2024-06-03 03:29:00--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/189256120/07561297-0dc7-4e20-a954-b0f493009d84?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240602%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240602T192900Z&X-Amz-Expires=300&X-Amz-Signature=e7db79d47aa0ae7f097661ad239f71f62c02e4f7d7979353920ea398c85f95f2&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=189256120&response-content-disposition=attachment%3B%20filename%3Dluci-app-openclash_0.46.003-beta_all.ipk&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com... 185.199.108.133
Connecting to objects.githubusercontent.com|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5668836 (5.4M) [application/octet-stream]
Saving to: 'luci-app-openclash_0.46.003-beta_all.ipk'

luci-app-openclash_0.46.003-beta_all 100%[=====================================================================>]   5.41M  11.4MB/s    in 0.5s

2024-06-03 03:29:01 (11.4 MB/s) - 'luci-app-openclash_0.46.003-beta_all.ipk' saved [5668836/5668836]

root@iStoreOS:~/openclashrun# md5sum ./*
b65006c26a9df0aadb7500dc5471dd83  ./clash
303a373d4b701b8b3d4c3d0a5a5bd9bb  ./clash_meta
1660ea58e85c98db9fd68bb0b96b7f8f  ./clash_tun
2b79cad5e93e8f44afed2db2a8de17af  ./install.sh
8f71516ea985adfc674c57a7601de991  ./luci-app-openclash_0.46.003-beta_all.ipk
8f71516ea985adfc674c57a7601de991  ./luci-app-openclash_0.46.003-beta_all_runver.ipk
root@iStoreOS:~/openclashrun#

可以看到 两个ipk的hash值均为 8f71516ea985adfc674c57a7601de991

image

以下是 install.sh 脚本里的内容

root@iStoreOS:~/openclashrun# cat install.sh
opkg update
if [ $? -ne 0 ]; then
    echo "更新软件源列表错误,请检查路由器自身网络连接以及是否有失效的软件源。"
    exit 1
fi
opkg install luci-app-openclash_0.46.003-beta_all.ipk || exit 1
mv clash clash_meta clash_tun /etc/openclash/core/
/etc/init.d/network restart

image

请自己排查是否做好安全措施,有没有把后台放到公网上。

bcseputetto commented 1 month ago

你甚至可以自己操作来验证这一点,我来详细说明一下步骤 全程在终端里面操作即可。 第一步 下载本项目的 openclash .run 包

wget https://github.com/AUK9527/Are-u-ok/raw/main/x86/all/OpenClash_0.46.003+x86_64_core.run

第二步 直接解包,解包到当前路径的openclash文件夹,任何 .run 包都可以使用这个方法解包。

sh OpenClash_0.46.003+x86_64_core.run --noexec --target ./openclash

第三步 移动到解包完成的文件夹内

cd openclash

第四步 查看当前文件夹里的文件

ll -h

第五步 把 .run包里解包出来的 ipk 更名,更容易识别它是从 .run包里解包出来的

mv luci-app-openclash_0.46.003-beta_all.ipk luci-app-openclash_0.46.003-beta_all_runver.ipk

第六步 从openclash官方项目下载相同版本的 ipk 文件

wget https://github.com/vernesong/OpenClash/releases/download/v0.46.003-beta/luci-app-openclash_0.46.003-beta_all.ipk

此时,当前文件夹里面有六个文件,分别是 clash内核:clash,clash_meta,clash_tun ipk文件:luci-app-openclash_0.46.003-beta_all_runver.ipk(由 .run包解包出来的),luci-app-openclash_0.46.003-beta_all.ipk(openclash官方项目下载下来的) 安装脚本文件:install.sh 第七步,使用 md5sum 工具计算当前文件夹下所有文件的 hash值

md5sum ./*

你可以对比 run包里解包出来的 ipk 和直接从openclash官方下载下来的ipk的hash值是否一致 如果你要查看 install.sh 里的内容可以执行

cat install.sh
bcseputetto commented 1 month ago

再多嘴几句就是,现在想想,openclash没有自己编译,而是直接用openclash官方项目的ipk,反而成为了 .run包里的ipk和官方ipk是同一文件清晰明了的证据,要是我自己用官方源码重新编译,怕不是跳进黄河都洗不清了…… 本项目0.46.003是三个月前更新的,利用本项目的用户不说多吧,但也不少啊,star都有7.5k,如果本项目openclash真的有后门会导致订阅链接泄漏,那这三个月来早就炸锅了,还会等了三个月才出现你这么一位被泄漏订阅的用户? 我依旧在向本项目提供新版本的 .run包,但是我没有这个仓库的权限,所以需要等待仓库所有者 AUK9527合并PR,我自己的仓库已经先行提供了更新版本的软件包。 身正不怕影子斜,如果你觉得有问题,大可不用。我没有该仓库的权限所以正好这个issue就留着吧。大家都可以来看看。

q514849152 commented 1 month ago

close