PoC Exploit Released for AnyDesk Vulnerability Exploited to Gain Admin Access Via Wallpapers
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A recently disclosed vulnerability in AnyDesk, a popular remote desktop software, identified as CVE-2024-12754, enables local attackers to exploit the handling of Windows background images to gain unauthorized access to sensitive system files.
This could potentially escalate their privileges to administrative levels, posing a significant threat to system security.
The vulnerability has been categorized under CWE-59 (Improper Link Resolution Before File Access) and assigned a CVSS score of 5.5 (Medium), indicating its potential to cause confidentiality breaches.
A proof-of-concept exploit has been disclosed, showing how attackers can take advantage of this vulnerability.
AnyDesk Local Privilege Escalation Vulnerability
According to cybersecurity researcher Naor Hodorov, the flaw lies in how AnyDesk processes desktop background images during session initialization.
When a session starts, AnyDesk copies the current desktop wallpaper into the C:\Windows\Temp directory.
AnyDesk copy the existing background image into C:\Windows\Temp\
This operation is executed by the AnyDesk service running under the NT AUTHORITY\SYSTEM account, which has elevated privileges.
File Copy performed by AnyDesk as NT AUTHORITY\SYSTEM
Attackers with low privileges can manipulate this process by pre-creating files in the C:\Windows\Temp directory or leveraging symbolic links (junctions). Here’s how the attack works:
When AnyDesk copies the desktop wallpaper, it retains the ownership and permissions of the SYSTEM account. This makes the copied file inaccessible to low-privileged users by default.
Attackers create a junction (a type of symbolic link) that redirects AnyDesk’s file copy operation to sensitive directories like \Device\HarddiskVolumeShadowCopy1\Windows\System32\CONFIG.
This allows attackers to gain access to critical files such as SAM (Security Account Manager), SYSTEM, and SECURITY.
Proof-of-Concept (PoC) Exploit
A PoC exploit has been released, demonstrating how attackers can leverage this vulnerability.
The exploit involves manipulating file operations using reparse points in Windows Object Manager Namespace (OMNS) directories such as \RPC Control.
PoC Exploit
This shows successful exploitation where sensitive files are accessed and restored after triggering an oplock (opportunistic lock).
Recommendation
To address this vulnerability, AnyDesk has released a patch in version 9.0.1 and later. Users are strongly advised to update their software immediately.
The discovery of CVE-2024-12754 highlights the evolving sophistication of local privilege escalation techniques that exploit seemingly innocuous features like desktop background images.
While AnyDesk has acted swiftly by issuing patches, this incident underscores the importance of proactive security measures and vigilance against emerging threats.
Organizations must remain alert and adopt robust security practices to mitigate similar vulnerabilities in the future.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
PoC Exploit Released for AnyDesk Vulnerability Exploited to Gain Admin Access Via Wallpapers
Author: Guru BaranA recently disclosed vulnerability in AnyDesk, a popular remote desktop software, identified as CVE-2024-12754, enables local attackers to exploit the handling of Windows background images to gain unauthorized access to sensitive system files.
This could potentially escalate their privileges to administrative levels, posing a significant threat to system security.
The vulnerability has been categorized under CWE-59 (Improper Link Resolution Before File Access) and assigned a CVSS score of 5.5 (Medium), indicating its potential to cause confidentiality breaches.
A proof-of-concept exploit has been disclosed, showing how attackers can take advantage of this vulnerability.
AnyDesk Local Privilege Escalation Vulnerability
According to cybersecurity researcher Naor Hodorov, the flaw lies in how AnyDesk processes desktop background images during session initialization.
When a session starts, AnyDesk copies the current desktop wallpaper into the C:\Windows\Temp directory.
AnyDesk copy the existing background image into C:\Windows\Temp\ This operation is executed by the AnyDesk service running under the NT AUTHORITY\SYSTEM account, which has elevated privileges.
File Copy performed by AnyDesk as NT AUTHORITY\SYSTEMAttackers with low privileges can manipulate this process by pre-creating files in the C:\Windows\Temp directory or leveraging symbolic links (junctions). Here’s how the attack works:
When AnyDesk copies the desktop wallpaper, it retains the ownership and permissions of the SYSTEM account. This makes the copied file inaccessible to low-privileged users by default.
Attackers create a junction (a type of symbolic link) that redirects AnyDesk’s file copy operation to sensitive directories like \Device\HarddiskVolumeShadowCopy1\Windows\System32\CONFIG.
This allows attackers to gain access to critical files such as SAM (Security Account Manager), SYSTEM, and SECURITY.
Proof-of-Concept (PoC) Exploit
A PoC exploit has been released, demonstrating how attackers can leverage this vulnerability.
The exploit involves manipulating file operations using reparse points in Windows Object Manager Namespace (OMNS) directories such as \RPC Control.
PoC ExploitThis shows successful exploitation where sensitive files are accessed and restored after triggering an oplock (opportunistic lock).
Recommendation
To address this vulnerability, AnyDesk has released a patch in version 9.0.1 and later. Users are strongly advised to update their software immediately.
The discovery of CVE-2024-12754 highlights the evolving sophistication of local privilege escalation techniques that exploit seemingly innocuous features like desktop background images.
While AnyDesk has acted swiftly by issuing patches, this incident underscores the importance of proactive security measures and vigilance against emerging threats.
Organizations must remain alert and adopt robust security practices to mitigate similar vulnerabilities in the future.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
