CVE-2020-13160

AnyDesk before 5.5.3 on Linux and FreeBSD has a format string vulnerability that can be exploited for remote code execution.

Recent assessments:

zeroSteiner at June 17, 2020 7:54pm UTC reported:

The AnyDesk GUI is vulnerable to a remotely exploitable format string vulnerability. By sending a specially
crafted discovery packet, an attacker can corrupt the front end process when it loads or refreshes. While the
discovery service is always running, the GUI frontend must be started to trigger the vulnerability. On
successful exploitation, code is executed within the context of the user who started the AnyDesk GUI.

The public PoC works out of the box on Ubuntu 18.04 x64 but requires some work to update the target for newer versions of Ubuntu and other versions of Linux such as Fedora. While the exploit seems reasonably stable for the first exploitation attempt, the GUI becomes unresponsive and subsequent attempts require restarting the service sudo systemctl restart anydesk and restarting the GUI.

A legitimate discovery frame can be sent to a target host to trigger a response. This can be used by an attacker to verify that the service is running, leak the hostname, and determine the operating system.

Assessed Attacker Value: 2
Assessed Attacker Value: 2Assessed Attacker Value: 3