AnyDesk 9.0.1 - Unquoted Service Path

vendor:

AnyDesk

by:

Parastou Razi

6.1

CVSS

HIGH

Unquoted Service Path

428

CWE

Product Name: AnyDesk

Affected Version From: 9.0.1

Affected Version To: 9.0.1

Patch Exists: NO

Related CWE:

CPE: a:anydesk:anydesk:9.0.1

Metasploit:

Other Scripts:

Platforms Tested: Windows 11 x64

2024

AnyDesk 9.0.1 – Unquoted Service Path

AnyDesk version 9.0.1 installs a service with an unquoted service path that runs with SYSTEM privileges. This vulnerability could allow a local user with lower privileges to execute arbitrary code with elevated privileges on the system.

Mitigation:

To mitigate this issue, the vendor should quote the service path during installation to prevent the possibility of privilege escalation.

Source

Exploit-DB raw data:

# Exploit Title: AnyDesk 9.0.1 - Unquoted Service Path
# Date: 2024-12-11
# Exploit Author: Parastou Razi
# Contact: razi.parastoo@gmail.com
# Vendor Homepage: http://anydesk.com
# Software Link: http://anydesk.com/download
# Version: Software Version 9.0.1
# Tested on: Windows 11 x64

1. Description:

The Anydesk installs as a service with an unquoted service path running
with SYSTEM privileges.
This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system.

2. Proof

C:\>sc qc anydesk --service
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: anydesk
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files (x86)\AnyDesk\AnyDesk.exe"
--service
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : AnyDesk Service
        DEPENDENCIES       : RpcSs
        SERVICE_START_NAME : LocalSystem