← Signals
- rustdesk
- remote-desktop
- relay
- exploitarium
news
RustDesk Session Downgrade + FileTransfer Scope Bypass
Relay can force non-secure session after auth; FileTransfer-authorized sessions reach screen/input handlers gated only by broad authorized flag.
Summary
Relay can force non-secure session after auth; FileTransfer-authorized sessions reach screen/input handlers gated only by broad authorized flag. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.
Key Findings
| Finding | Detail |
|---|---|
| Product / target | rustdesk/rustdesk @ ff226f6d8013 |
| Primitive | Missing signed peer key fail-open + authorized vs connection-type check gap |
| Impact | Malicious relay injects control messages; FileTransfer session exceeds intended scope. |
Attack Chain
Strip signed_id_pk → plaintext relay → inject MouseEvent OR FileTransfer auth → screen handlers
Mitigation
Use trusted rendezvous; harden secure session fail-closed; enforce per-connection-type authorization.