AnyDesk 7.0.9 allows a local user to gain SYSTEM privileges via a symbolic link because the user can write to their own %APPDATA% folder (used for ad.trace and chat) but the product runs as SYSTEM when writing chat-room data there.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors Products
Anydesk
  • Anydesk

Configuration 1 [-]

cpe:2.3:a:anydesk:anydesk:7.0.9:*:*:*:*:*:*:*
References
Link Resource
http://anydesk.com Vendor Advisory
http://packetstormsecurity.com/files/167608/AnyDesk-7.0.9-Arbitrary-File-Write-Denial-Of-Service.html Exploit Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2022/Jul/9 Exploit Mailing List Third Party Advisory
https://seclists.org/fulldisclosure/2022/Jun/44 Exploit Mailing List Third Party Advisory
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-07-18T12:17:12

Updated: 2022-07-20T04:06:12

Reserved: 2022-06-05T00:00:00

Link: CVE-2022-32450

JSON object: View

cve-icon NVD Information

Status : Analyzed

Published: 2022-07-18T13:15:10.460

Modified: 2022-07-22T14:33:32.907

Link: CVE-2022-32450

JSON object: View

cve-icon Redhat Information

No data.

CWE