-
Bug DescriptionHello ... I've executed the Windows-Installer in a sandbox and examined the extracted-files (also the temp-files) and did a tiny check of the used certificates and the signed files and found some strange issues with the certficate-structure of this project: Strange installation of ROOT-CERTIFICATE in ROOT-storeThe certificate (fingerprint: d1dbb672d5a500b9809689caea1ce49e799767f0), that will be used to install and sign the driver under Windows ("rustdeskidddriver.cat") seems to be strange. It is a self-signed test-certificate by an anonymous id: "WDKTestCert admin,133225435702113567" that will not use a trusted ROOT-CA and only uses SHA-1 with RSA 2048 (weak) with a timed validity of !! 10 Years !!, much too long for this weak algo !
The fact, that this certificate will be installed in the SYSTEM ROOT-CERTSORE is probably associated with a high risk ...Also the certificate, that signed the installed driver-dll "RustDeskIddDriver.dll" is not the same as the certifcate, that created / signed the catalog-file above:
This certificate was issued by "Sectigo Public Code Signing Root R46" ... How to ReproduceCheck used certfile "RustDeskIddDriver.cer" of the installer and certificate of signed dll "RustDeskIddDriver.dll". Expected BehaviorUsage of valid software-signatures, issued by a trusted ROOT-CA with "secure" algorithms for driver-installation and code-signing. Operating system(s) on local side and remote sideWindows 10 RustDesk Version(s) on local side and remote side1.2.3 Screenshots"RustDeskIddDriver.cer"RustDesk_install.bat"RustDeskIddDriver.dll""rustdeskidddriver.cat"Additional ContextNo response |
Beta Was this translation helpful? Give feedback.
Replies: 14 comments 54 replies
-
I actually ended up here from searching online, after, seeing this weird Cert but mine was in Chinese. |
Beta Was this translation helpful? Give feedback.
-
I'm seeing this discussion spread over the internet like wildfire but, when I checked, the certificate only had an EKU for Code signing and KU for Key Encipherment and Data Encipherment; this is what I would expect to see from a certificate used for the stated purposes. TLS stacks (Eg: SChannel) should be adhering to those KU/EKU's; "Enabled for All Purposes" implies "-that are listed in KU/EKU's". Regardless though, I think a certificate being pushed to end users should clearly identify itself and not use SHA-1, that should be rectified. |
Beta Was this translation helpful? Give feedback.
-
Ok, we will remove this idd driver since it brings so big trouble. Some functions (virtual display, privacy mode etc) will be lost. |
Beta Was this translation helpful? Give feedback.
-
This is the current behavior, but it can not stop thread like this. |
Beta Was this translation helpful? Give feedback.
-
This driver which is only signed with the Test-Certificate also leads to issues with ESET for example. ESET detects the RustDeskIddDriver.dll under %LOCALAPPDATA%\rustdesk\RustDeskIddDriver as Suspicious Object, moves it to the Quarantine and warns the user about it. |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
I'm using this on an internal LAN (no risks of exploiting) where I don't care about this vulnerability but the feature is essential for me / "I accept the risks". Very disappointed to install latest nightly and the feature is gone, and sadly I replaced old installer binary. Can someone please share nightly build from 18 February 2024 or thereabout? I have a build from Dec 2023 but I would prefer more recent build. Thanks |
Beta Was this translation helpful? Give feedback.
-
Update: we have got EV, now we are waiting for Microsoft hardware developer account ready, @microsoft needs to verify the company profile and domain again, the process is very slow. |
Beta Was this translation helpful? Give feedback.
-
Thank you all for your support ! |
Beta Was this translation helpful? Give feedback.
-
Update: https://twitter.com/rustdesk/status/1770983662571733227 |
Beta Was this translation helpful? Give feedback.
-
Hi! This bug is still present in a way! It could be concerning for users as Google translate is this for that chinese text: |
Beta Was this translation helpful? Give feedback.
-
You can check in a freshly installed VM whether RustDesk really is
responsible for that Chinese certificate!
|
Beta Was this translation helpful? Give feedback.
-
Update, still no progress, you can email or call this @microsoft support if you want to help. |
Beta Was this translation helpful? Give feedback.
-
Update: https://twitter.com/rustdesk/status/1781263566504653052 |
Beta Was this translation helpful? Give feedback.
Fixed in latest release by removing our virtual display driver and cert, https://github.com/rustdesk/rustdesk/releases/latest. It will be restored once we get an EV, 1 month or more. Thanks for everyone who are giving help on EV