module

AnyDesk GUI Format String Write

Disclosed	Created
Jun 16, 2020	Jul 2, 2020

Disclosed

Jun 16, 2020

Created

Jul 2, 2020

Description

The AnyDesk GUI is vulnerable to a remotely exploitable format string vulnerability. By sending a specially
crafted discovery packet, an attacker can corrupt the frontend process when it loads or refreshes. While the
discovery service is always running, the GUI frontend must be started to trigger the vulnerability. On
successful exploitation, code is executed within the context of the user who started the AnyDesk GUI.

Authors

scryh
Spencer McIntyre

Platform

Linux

Architectures

x64

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


    msf > use exploit/linux/misc/cve_2020_13160_anydesk
    msf exploit(cve_2020_13160_anydesk) > show targets
        ...targets...
    msf exploit(cve_2020_13160_anydesk) > set TARGET < target-id >
    msf exploit(cve_2020_13160_anydesk) > show options
        ...show and set options...
    msf exploit(cve_2020_13160_anydesk) > exploit

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today