OFFSITE.DARK
← Signals

Jun 29, 2026

1 min

Sploitus / Exploitarium

  • rustdesk
  • remote-desktop
  • relay
  • exploitarium

news

RustDesk Session Downgrade + FileTransfer Scope Bypass

Relay can force non-secure session after auth; FileTransfer-authorized sessions reach screen/input handlers gated only by broad authorized flag.

Summary

Relay can force non-secure session after auth; FileTransfer-authorized sessions reach screen/input handlers gated only by broad authorized flag. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.

Key Findings

FindingDetail
Product / targetrustdesk/rustdesk @ ff226f6d8013
PrimitiveMissing signed peer key fail-open + authorized vs connection-type check gap
ImpactMalicious relay injects control messages; FileTransfer session exceeds intended scope.

Attack Chain

Strip signed_id_pk → plaintext relay → inject MouseEvent OR FileTransfer auth → screen handlers

Mitigation

Use trusted rendezvous; harden secure session fail-closed; enforce per-connection-type authorization.

Related Signals

Sources

→ Source