DeskTime Time Tracking App Missing TLS Certificate Validation Leading to Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in the DeskTime Time Tracking App, affecting versions prior to 1.3.674. The issue arises from improper validation of TLS certificates, allowing attackers to intercept update requests and deliver malicious executables. This exploitation results in user-level remote code execution on the affected client.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the client machine, with the executed code running under the user's privileges.

Reproduction

To reproduce this vulnerability, modify the hosts file to redirect 'desktime.com' to localhost. Then, create a listener in Burp Proxy on port 443, enabling 'Force use of TLS' and 'Invisible Proxy support'. Set up a DNS override in Burp to resolve 'desktime.com' to its real IP. When the DeskTime application checks for updates, it will send a request to the server. If the Burp Proxy intercepts this request, the response can be manipulated to include a malicious executable. Once the application receives this executable, it will be downloaded and executed, demonstrating the vulnerability.

Remediation

Users can update to DeskTime version 1.3.674, which addresses this vulnerability.