lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 16 Jul 2022 00:39:17 +0800 From: chan chan <siuchunc.03@...il.com> To: fulldisclosure@...lists.org Subject: Re: [FD] AnyDesk Public Exploit Disclosure - Arbitrary file write by symbolic link attack lead to denial-of-service attack on local machine Hi FullDisclosure, May I know if there is any update? Please note that Mitre has assigned and reserved a CVE number "CVE-2022-32450" for this vulnerability. Regards, Erwin chan chan <siuchunc.03@...il.com> 於 2022年6月22日週三 下午5:42寫道: > Hi FullDisclosure, > > I would like to publish an exploit that I found on AnyDesk as follows. > > # Exploit Title: AnyDesk allow arbitrary file write by symbolic link attack lead to denial-of-service attack on local machine > # Google Dork: [if applicable] > # Date: 24/5/2022 > # Exploit Author: Erwin Chan > # Vendor Homepage: https://anydesk.com/en > # Software Link: https://anydesk.com/en > # Version: 7.0.9 > # Tested on: Windows 11 > > > > It was found that AnyDesk (version 7.0.9) was vulnerable to arbitrary file > write by symbolic link attack leading to denial-of-service attack on local > machine. It was noted that two functions were affected. > *Affected function A* > When there was a remote connection come in, a directory under AppData of > current user (without admin privilege) and a "ad.trace" file (i.e., > "C:\Users\<user>\AppData\Roaming\AnyDesk") will be created by "AnyDesk.exe" > with "NT Authority\SYSTEM" privilege. > [image: image.png] > [image: image.png] > *Affected function B* > After a connection was made, local or remote user could use the chat room. > The chat log was written to folder > "C:\Users\<user>\AppData\Roaming\AnyDesk\chat\" by "AnyDesk.exe" with "NT > Authority\SYSTEM" privilege. Or the local user (without admin privilege) > could change the location of the chat log to anywhere that he/she has > "Modify" privilege. > [image: image.png] > [image: image.png] > *Vulnerability Summary* > Since the directories (i.e., "C:\Users\<user>\AppData\Roaming\AnyDesk\", > "C:\Users\<user>\AppData\Roaming\AnyDesk\chat\") were assigned with > "Modify" privilege for current user, current user could modify the entire > directory. With this setup, an unprivileged user is able to achieve > arbitrary file write by creating a symbolic link to a privileged location > (e.g., C:\Windows\System32). As a result, a malicious user could > potentially deny any service by overwriting the configuration or system > file of applications such as Anti Virus solutions. It was noted that the > file content could be manipulated in affected function B such that a low > privileged user could write an arbitrary file to an arbitrary location. > [image: d98609c1-7ec9-4a1d-9a6c-f4ef670e5d23.png] > *Affected function A: Exploit steps by local user (without admin > privilege)* > > 1. Remove the directory "C:\Users\<user>\AppData\Roaming\AnyDesk" > 2. Create symbolic link of "ad.trace" file to a privileged location > (e.g., C:\Windows\System32\test.file) (PoC binary could be found here: > https://github.com/googleprojectzero/symboliclink-testing-tools/blob/main/CreateSymlink/CreateSymlink_readme.txt > ) > > [image: image.png] > > 1. Connect to local machine (target machine) from a remote machine. > After the connection was initiated, the content of "ad.trace" file would be > written to target file (e.g., C:\Windows\System32\test.file) > > [image: image.png] > *Affected function B: Exploit steps by local user (without admin > privilege)* > > 1. edit username of remote connector > > [image: image.png] > > 1. Establish a AnyDesk connection from remote. Enter arbitrary text > into the chat box. Mark down the filename of chat log > > [image: image.png] > > 1. Remove the directory "C:\Users\<user>\AppData\Roaming\AnyDesk\chat" > 2. Create symbolic link of chat log file (e.g., 657584961.txt) to a > privileged location (e.g., C:\Windows\test.conf) (PoC binary could be found > here: > https://github.com/googleprojectzero/symboliclink-testing-tools/blob/main/CreateSymlink/CreateSymlink_readme.txt > ) > > [image: image.png] > > 1. Open the chat room and enter arbitrary content into it. After that, > the content of chat room would be written to target file (e.g., > C:\Windows\test.conf) > > [image: image.png] > [image: image.png] > > Please let me know if any detail need further. Thanks > > Regards, > Erwin > > Download attachment "image.png" of type "image/png" (713647 bytes) Download attachment "image.png" of type "image/png" (32104 bytes) Download attachment "image.png" of type "image/png" (460792 bytes) Download attachment "image.png" of type "image/png" (124919 bytes) Download attachment "image.png" of type "image/png" (117438 bytes) Download attachment "d98609c1-7ec9-4a1d-9a6c-f4ef670e5d23.png" of type "image/png" (150162 bytes) Download attachment "image.png" of type "image/png" (159101 bytes) Download attachment "image.png" of type "image/png" (548841 bytes) Download attachment "image.png" of type "image/png" (180310 bytes) Download attachment "image.png" of type "image/png" (112290 bytes) Download attachment "image.png" of type "image/png" (104624 bytes) Download attachment "image.png" of type "image/png" (94740 bytes) _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists