A recently disclosed vulnerability in AnyDesk, a widely used remote desktop software, has raised significant cybersecurity concerns.
The vulnerability identified by CVE-2024-12754 and tracked by ZDI-24-1711 allows local attackers to exploit the handling of Windows background images to gain unauthorized access to sensitive system files, potentially escalating their privileges to administrative levels.
This vulnerability has been classified under CWE-59 with a CVSS score of 5.5 (Medium), reflecting its potential for significant confidentiality breaches.
.png
)
The Vulnerability: Arbitrary File Read/Copy
According to the researcher, Naor Hodorov, the vulnerability resides in AnyDesk’s mechanism for handling background images during session initiation.
Specifically, when a new session is initiated, AnyDesk copies the current desktop background image into the C:\Windows\Temp directory.
This operation is performed by the AnyDesk service running as NT AUTHORITY\SYSTEM, granting it high-level privileges.
A low-privileged user can manipulate this process to execute an arbitrary file read or copy operation. Since the source file is copied to C:\Windows\Temp\, the end file will belong to NT AUTHORITY\SYSTEM.
Additionally, because C:\Windows\Temp by default does not grant low-privileged users read access, the end file name will inherit the DACL and only be accessible by the Administrators group and NT AUTHORITY\SYSTEM.
The copied file inherits ownership and permissions from the SYSTEM account, making it inaccessible to low-privileged users by default.
Attackers can pre-create a file with the same name in C:\Windows\Temp. When the vulnerability is triggered, the file retains its original ownership but is overwritten with new data from the source image.
By creating a junction (a type of symbolic link) pointing to sensitive directories such as \Device\HarddiskVolumeShadowCopy1\Windows\System32\CONFIG, attackers can redirect AnyDesk’s file copy operation to access critical system files like SAM, SYSTEM, and SECURITY.
Exploitation for Local Privilege Escalation (LPE)
The attacker creates target files in the C:\Windows\Temp directory. Using Windows Object Manager Namespace (OMNS) directories, such as \RPC Control, attackers set up reparse points to redirect file operations.
By initiating an AnyDesk session with a manipulated background image, attackers force the service to copy sensitive system files into accessible locations.
Once files like SAM (Security Account Manager) and SYSTEM are obtained, attackers can parse them to retrieve hashed credentials or machine keys, enabling administrative access, Hodorov said.
Exploitation requires local access and low privileges but can lead to high-impact outcomes such as credential theft and full system compromise
To address this vulnerability, organizations and users should upgrade to version 9.0.1 or later, which includes patches for this flaw.
Limit permissions for low-privileged users and disable unnecessary junction creation capabilities, and implement tools to detect abnormal file operations or junction manipulations.
The discovery of CVE-2024-12754 highlights the evolving sophistication of local privilege escalation techniques leveraging seemingly innocuous features like desktop background images.
While AnyDesk has issued patches, users must remain vigilant by applying updates and adopting robust security practices to mitigate similar threats in the future.
PCI DSS 4.0 & Supply Chain Attack Prevention – Free Webinar
