A recently disclosed vulnerability in AnyDesk, a popular remote desktop software, identified as CVE-2024-12754, enables local attackers to exploit the handling of Windows background images<\/a> to gain unauthorized access to sensitive system files.\u00a0<\/p>\n This could potentially escalate their privileges to administrative levels, posing a significant threat to system security.<\/p>\n The vulnerability has been categorized under CWE-59 (Improper Link Resolution Before File Access) and assigned a CVSS score of 5.5 (Medium), indicating its potential to cause confidentiality breaches.<\/p>\n A proof-of-concept exploit has been disclosed, showing how attackers can take advantage of this vulnerability.\u00a0<\/p>\n According to cybersecurity researcher Naor Hodorov, the flaw lies in how AnyDesk<\/a> processes desktop background images during session initialization.\u00a0<\/p>\n When a session starts, AnyDesk copies the current desktop wallpaper into the C:WindowsTemp directory.\u00a0<\/p>\n This operation is executed by the AnyDesk service running under the NT AUTHORITYSYSTEM account, which has elevated privileges.<\/p>\n Attackers with low privileges can manipulate this process by pre-creating files in the C:WindowsTemp directory or leveraging symbolic links<\/a> (junctions). Here\u2019s how the attack works:<\/p>\n When AnyDesk copies the desktop wallpaper, it retains the ownership and permissions of the SYSTEM account. This makes the copied file inaccessible to low-privileged users by default.<\/p>\n Attackers create a junction (a type of symbolic link) that redirects AnyDesk\u2019s file copy operation to sensitive directories like DeviceHarddiskVolumeShadowCopy1WindowsSystem32CONFIG.\u00a0<\/p>\n This allows attackers to gain access to critical files such as SAM (Security Account Manager), SYSTEM, and SECURITY.<\/p>\n By obtaining these files, attackers can extract hashed credentials or machine keys using tools like mimikatz. This enables them to escalate privileges and potentially gain administrative access.<\/p>\n A PoC exploit has been released<\/a>, demonstrating how attackers can leverage this vulnerability.\u00a0<\/p>\n The exploit involves manipulating file operations using reparse points in Windows Object Manager Namespace (OMNS) directories such as RPC Control.\u00a0<\/p>\n This shows successful exploitation where sensitive files are accessed and restored after triggering an oplock (opportunistic lock).<\/p>\n To address this vulnerability, AnyDesk has released a patch in version 9.0.1<\/a> and later. Users are strongly advised to update their software immediately.\u00a0<\/p>\n The discovery of CVE-2024-12754 highlights the evolving sophistication of local privilege escalation techniques that exploit seemingly innocuous features like desktop background images.\u00a0<\/p>\n While AnyDesk has acted swiftly by issuing patches, this incident underscores the importance of proactive security measures and vigilance against emerging threats.<\/p>\n Organizations must remain alert and adopt robust security<\/a> practices to mitigate similar vulnerabilities in the future.<\/p>\n The post PoC Exploit Released for AnyDesk Vulnerability Exploited to Gain Admin Access Via Wallpapers<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nAnyDesk Local Privilege Escalation Vulnerability<\/strong><\/h2>\n
Proof-of-Concept (PoC) Exploit<\/strong><\/h2>\n
Recommendation<\/strong><\/h2>\n
Are you from SOC\/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free<\/a><\/code><\/strong><\/p>\n
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXdhT9_VCgcdGEkPrjWpXV0yxcIri2ON5N7vVLT6ewoPnjoC4a3O2SZ4vMnC3EZVZeoldMlP6ZOnPNCVymv2goFMsrC3Sy-OqpWl54A-BdLaJeYVWjunYDZg57bZJGnra6lw02HW?key=SoSw0QJ24MN_W_SkH0nhsv2G\")
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXfmADd94ho-0KLBV90XvF-M9brbHjBMpoe3lCXJHR7kRWNHjhaqmFYrVR5McPRdr41FiPQdH1nXT9v9yiiPPiJbsGgfA_Spp9BlLn958DwGVVTLqLPyLnFQZ7uOYdk95irWixEhow?key=SoSw0QJ24MN_W_SkH0nhsv2G\")
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXcmhNK9XkVAlNebtwxXRf1DiettQqD47nL1SxVkMVDokjto0-2D5X1wBaFsp9E7rBYgBXIYMtX6_fXW4aYt3iPyZWr8VNGS8OVWgxbzOh8b9Tiqx1rZBM-m2vaerqQVbYkO4Rj6?key=SoSw0QJ24MN_W_SkH0nhsv2G\")