CVE in SpaceDesk

[danchik]

Hi!

I found some intresting issues in SpaceDesk Driver and in a Android mobile application. Some of them I registered as CVE.
I wrote an email 2 month ago (Apr 3, 2024) to xxx@spacedesk.net (email removed by forum admin) and xxx@datronicsoft.com.ph (email removed by forum admin) about this problems but I have not get any response.

Dear SpaceDesk team, please, contact me here or an email dahchik1155@gmail.com

• 该话题由spacedesk Marcel 于 4月、 1周前 修正。

[spacedesk Marcel]

To obtain a response, use our official free support forum instead of spamming aritrary corporate email addresses!

We consider your approach as spam. We do not discuss any of your “interesting issues” with unknown individuals from alledged companies without corporate email or corporate web address. Googling your corporate name only leads to an unknown company alledgedly founded three years ago in a very small tax haven country.

If you register your “interesting issues” as CVEs, then we will deal with them publicly.

PS: Hacking our licensing is neither a vulnerability, nor very difficult, nor anything worth mentioning: Anyway our licensing is mostly volontary relying on responsibiliy and honesty of business users.

[danchik]

Marcel, thanks for your reply!

I used an email just to communicate confidentially about that research. Sorry, if that wasn’t the correct way.

Now I have a question regarding the situation that I mentioned in my email. Are you going to add a passphrase to the Community License? That could save your users from arbitrary code execution vulnerability in SpaceDesk Driver. To make CVE public I must be shure that you already fixed vulnerability or won’t fix it

Also have a question about Mobile App. Do you need a recomendations or something like that? I can send the Proof-Of-Concept if that needed to fix it.

Contact me an email if you need proof or any else information, I just would like to help you with that issues.

[spacedesk Marcel]

Arbitrary Code Execution (ACE) vulnerability has ABSOLUTELY NOTHING to do with presence of a passphrase. A simple Google search will help you understand…

Now you have exposed publicly that you do not know what you are talking about.

Furthermore, you should have better learned about our product first before making unfunded claims:
SPACEDESK DOES NOT WORK OVER THE INTERNET!
Guess how that relates to your allegations about internet security…

Shut up or say something reasonable!
Otherwise I will classify you as spam and block you.

[danchik]

Please, keep calm.

Firstly I should say that it is not a claims. I just would like to help with the security issues

Sorry, may be it was a miss communiaction. In the previous post, by “passphrase” I meant Password Protection, which is already included in the Commercial License.
Password could solve the problem. Existing Password for connection (like in a Commercial License) protect from outside an unconfirmed connection. So intruder can not connect and execute code (ACE). That is how connected code execution and Password Protection

In a local networks Intruder could use that vulnerability to gain access for the system with SpaceDesk Driver if Password is not set

I hope you understand, I created this post out of the best intentions

[spacedesk Marcel]

spammer blocked

[spacedesk Marcel]

For all those people who are thinking that I treated him too harshly:

1. Above he falsely claimed that he DID register CVEs (not true – he didn’t).
2. Above he contradicts his own previous post. He says that he ONLY WANTS to register these CVEs.
3. Above he confuses people about (ACE) vulnerabilities when none have ever been discovered.
4. Worse: Wants to CVE register ACE vulnerabilities without any indicator for their existence.
5. Worst: He connects password protection to non existing ACE vulnerability issues.
Can anybody see any good intentions here?

PS: If you think this is already bad, then you haven’t read his emails yet…

[作者]

帖子