-
-
Notifications
You must be signed in to change notification settings - Fork 7.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issue - Bypass permissions #2680
Comments
Honestly, we know this flaw. But if you wanna modify security related settings, you need addministrative priviledge (if installed). https://api.flutter.dev/flutter/widgets/FocusTraversalGroup-class.html |
Thank you for the fast reply, yes this is true for linux, unfortunately on a stock windows you only need to press 'yes' to grant admin permission. Today I tried to connect to a stable version (1.1.9), the problem is not present. |
I see your point. Though for windows this only applies to admin account. If you are using admin account then UAC will only ask you yes or no but not asking for password again(hell, for everything not only Rustdesk). When using a standard account, UAC will ask username and password. |
I wanted to report this, but looks like someone was first :-) |
You can also use cursor keys to move inside of the rustdesk window leaving the mouse cursor on the title bar. I have just tried it and it worked, I modified the config avoiding the "greyout" of the rustdesk window. |
Another bypass I just found, if you hover over the window it will darken to prevent access. With your mouse over the window, press the Windows key to open the start menu and you can now click any of the buttons on the window. Unhide password, 3 dot menu + enable remote config access, etc. |
So maybe moving setting under button in popup window? so if you click it you need UAC ? |
really need this security feature? |
Even we fix above, touch mode on mobile still can bypass this. We may remove this feature. |
Hello ,
I have been using nightly version 1.2.0 for some time now and I found this flaw that allows me to change the settings of the PC I connected to without having any permission (Enable remote configuration modification).
How to reproduce:
-You can now change any of the program settings.
Tested on both Windows and Linux.
I haven't tested the stable version.
The text was updated successfully, but these errors were encountered: