Reolink Desktop Application Local Authentication Bypass Vulnerability

A local authentication bypass vulnerability has been identified in the Reolink desktop application version 8.18.12. The issue arises from the application's lock screen password mechanism, which is implemented entirely on the client side using JavaScript. The password is stored in a modifiable JavaScript property, allowing an attacker to alter the return value and bypass authentication. This vulnerability grants full access to the application interface and settings.

Impact

Exploitation of this vulnerability allows local attackers to bypass the application's lock screen password, gaining unrestricted access to the application's interface and settings.

Reproduction

The vulnerability can be reproduced by modifying the JavaScript file that contains the lock screen password logic. After patching the file to change the password return value to an empty string and saving the changes, the application can be restarted. This process removes the password prompt, effectively bypassing the lock screen authentication.

Remediation

It is recommended that the application code be packaged into an ASAR archive and that an integrity verification process be implemented at startup to check the ASAR file's hash value or signature. Any tampered application should be blocked from execution.