A newly disclosed vulnerability in AnyDesk, a widely used remote administration tool, could allow attackers to escalate privileges and gain complete control over a system. Tracked as CVE-2024-12754, this security flaw was analyzed by researcher Naor Hodorov, who demonstrated how a low-privileged user could exploit it to gain NT AUTHORITY\SYSTEM privileges.
How CVE-2024-12754 Works
The vulnerability arises from an arbitrary file read/copy operation performed by the AnyDesk service with system-level privileges. Specifically, AnyDesk, running as NT AUTHORITY\SYSTEM, allows low-privileged users to set their background image, which is then copied to the C:\Windows\Temp directory. However, this process retains the original file ownership and permissions, enabling an attacker to overwrite existing files.
Exploitation Technique
Hodorov explains that an attacker can:
- Pre-create a file in C:\Windows\Temp with the same name as the background image.
- When AnyDesk copies the image, it overwrites the attacker-controlled file while maintaining SYSTEM-level ownership.
- The attacker can then leverage this file ownership loophole to replace or access critical system files, such as SAM, SYSTEM, and SECURITY.
By exploiting these files, an attacker could extract user credentials, manipulate system settings, or even achieve full system compromise.
Patch and Mitigation
The CVE-2024-12754 vulnerability has been patched in AnyDesk v9.0.1. Users and IT administrators are strongly advised to update immediately to prevent exploitation.
Proof-of-Concept (PoC) Exploit Available
A Proof-of-Concept (PoC) exploit demonstrating this attack is now available on GitHub, making it imperative for organizations to apply patches without delay.
Key Takeaways
✅ Vulnerability Name: CVE-2024-12754
✅ Software Affected: AnyDesk (prior to v9.0.1)
✅ Impact: Local Privilege Escalation (LPE)
✅ Exploit Available: Yes (PoC on GitHub)
✅ Fix: Update to AnyDesk v9.0.1 or later
This incident underscores the security risks of remote administration tools and the need for constant vigilance against privilege escalation threats. Stay updated, stay secure!