AnyDesk 7.0.15 - Unquoted Service Path

Exploit Author: Milad karimi Analysis Author: www.bubbleslearn.ir Category: Local Language: Shell Published Date: 2024-04-08 
# Exploit Title: AnyDesk 7.0.15 - Unquoted Service Path
# Date: 2024-04-01
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: miladgrayhat@gmail.com
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# Vendor Homepage: http://anydesk.com
# Software Link: http://anydesk.com/download
# Version: Software Version 7.0.15
# Tested on: Windows 10 Pro x64

1. Description:

The Anydesk installs as a service with an unquoted service path running
with SYSTEM privileges.
This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system.

2. Proof

C:\>sc qc anydesk
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: anydesk
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files (x86)\AnyDesk\AnyDesk.exe"
--service
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : AnyDesk Service
        DEPENDENCIES       : RpcSs
        SERVICE_START_NAME : LocalSystem


C:\>systeminfo

OS Name:  Microsoft Windows 10 Pro
OS Version: 10.0.19045 N/A Build 19045
OS Manufacturer: Microsoft Corporation


AnyDesk 7.0.15 — Unquoted Service Path Vulnerability (Local Privilege Escalation)

This article explains an unquoted service path issue found in AnyDesk version 7.0.15 that can lead to local privilege escalation. It covers what an unquoted service path is, why it matters, how to detect affected services (safe detection), and recommended mitigations. Examples use Windows-native tooling (sc, PowerShell, registry) and focus on defensive actions — not exploitation.

Background — What is an Unquoted Service Path?

A Windows service is launched by the Service Control Manager using an executable path stored in the service's configuration (ImagePath). If that path contains spaces and is not wrapped in quotation marks, Windows may interpret the path incorrectly and search for executable files at intermediate locations. If an attacker (or an unprivileged local account) can place a malicious executable at one of those intermediate locations, the service may launch that executable with the service account's privileges (often SYSTEM), resulting in privilege escalation.

Why this matters for AnyDesk 7.0.15

AnyDesk installs a service that runs as LocalSystem. In version 7.0.15 the service path was configured with quotes in the example provided; however, similar misconfigurations in services (including third-party updates or custom installs) can produce an unquoted-path scenario. An unquoted path combined with writable directories that non-admin users can control can lead to elevation of privileges.

Vulnerability Details (example)

Typical service configuration output (example):

C:\>sc qc anydesk
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: anydesk
 TYPE               : 10  WIN32_OWN_PROCESS
 START_TYPE         : 2   AUTO_START
 ERROR_CONTROL      : 1   NORMAL
 BINARY_PATH_NAME   : "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service
 LOAD_ORDER_GROUP   :
 TAG                : 0
 DISPLAY_NAME       : AnyDesk Service
 DEPENDENCIES       : RpcSs
 SERVICE_START_NAME : LocalSystem

Explanation: The sc qc output shows the service ImagePath (BINARY_PATH_NAME). If this field lacks surrounding quotes and contains spaces (for example C:\Program Files (x86)\AnyDesk\AnyDesk.exe --service without quotes), the system may parse it incorrectly. The sample above shows a properly quoted path; however detection steps below will find services that are not properly quoted.

Impact and Risk Assessment

  • Risk: Local privilege escalation — an attacker with local user access can gain SYSTEM privileges.
  • Requirements: A writable intermediate directory (or the ability to place an executable at an unprotected path), service running as a privileged account, and an unquoted ImagePath containing spaces.
  • Scope: Affects systems where services are misconfigured. Not all AnyDesk installs will be vulnerable, but the pattern is common for many third-party services.

Safe Detection — How to Find Unquoted Service Paths

Use the following PowerShell snippet to enumerate services with spaces in PathName that are not wrapped in quotes. This is a detection-only script and does not attempt any modification or exploitation.

Get-CimInstance -ClassName Win32_Service |
  Where-Object {
    $_.PathName -and ($_.PathName -match '\s') -and ($_.PathName -notmatch '^".+"')
  } |
  Select-Object Name, DisplayName, PathName, StartName, StartMode |
  Sort-Object Name

Explanation: This script queries all services (Win32_Service), filters for entries whose PathName contains whitespace and is not already enclosed in quotes (^".+" matches a quoted string). The output lists service name, friendly name, configured image path, account that runs the service, and start mode. Use this to identify candidates for remediation.

How to Inspect a Single Service (example)

To view configuration for a single service use sc:

sc qc anydesk

Explanation: sc qc prints the configured binary path and other service metadata. If the BINARY_PATH_NAME field contains spaces but is not quoted, the service is at risk.

Remediation and Mitigation Strategies

Primary recommendations are:

  • Update the vendor software to a patched version — contact AnyDesk or use the official updater. Patching is the preferred fix if a vendor release addresses the issue.
  • Ensure service ImagePath values are properly quoted when they include spaces.
  • Harden file system permissions on service executable directories so non-administrative accounts cannot write new executables into them.
  • Limit local user privileges and remove unnecessary local accounts or rights that allow writing to Program Files locations.
  • Periodically scan for unquoted service paths as part of vulnerability and configuration management.

How to Correct an Unquoted Service Path (safe approaches)

Note: Modifying service configuration or the registry can break services if done incorrectly. Always back up the registry and test changes in a non-production environment. Administrative rights are required for the following actions.

Option A — Reinstall or update the product

  • Uninstall AnyDesk (or run the vendor installer) and reinstall the latest version. Vendors will typically set a correct ImagePath during installation.

Option B — Edit the service ImagePath (example with sc)

sc config anydesk binPath= "\"C:\Program Files (x86)\AnyDesk\AnyDesk.exe\" --service"

Explanation: sc config can update the binPath parameter for the service. Notice the quoting: the outer quotes are required by the sc command to pass the entire argument; the internal \"...\" ensures the ImagePath value saved by the service manager is quoted. The exact spacing and escaping is important; test carefully. This command requires elevated privileges and may stop/start the service depending on options.

Option C — Edit registry ImagePath directly

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\anydesk' -Name ImagePath -Value '"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service'

Explanation: The registry value HKLM\SYSTEM\CurrentControlSet\Services\\ImagePath controls the image path used to start the service. Placing quotes around the executable path (and keeping any arguments after the quoted path) prevents misinterpretation. After modifying the registry, restart the service or restart the machine to apply changes. Always export the registry key before modification.

Lock Down File System Permissions

Ensure directories containing service executables are not writable by standard users. Example using icacls (run as admin):

icacls "C:\Program Files (x86)\AnyDesk" /inheritance:r
icacls "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" /grant:r "Administrators:(RX)" "SYSTEM:(RX)"

Explanation: The first command removes inherited permissions from the directory (be cautious — test before applying widely). The second sets read/execute permissions for Administrators and SYSTEM only. Adjust ACLs to match your environment and ensure administrators retain necessary access. Overly restrictive ACLs can break legitimate updates.

Detection and Monitoring Recommendations

  • Include the PowerShell detection snippet into regular configuration scans or endpoint hardening checks.
  • Monitor for service registry changes (HKLM\SYSTEM\CurrentControlSet\Services) using an EDR/host-based monitoring system.
  • Alert on writes to Program Files or other privileged locations from non-admin accounts.
  • Use Group Policy or central configuration management to enforce file permissions and software versions.

Operational Considerations and Trade-offs

Some third-party services require running as LocalSystem for legitimate reasons. Changing the service to run under a less-privileged account may reduce the attack surface but could break functionality. Always validate service behavior after changes and coordinate with application owners.

Summary Table

Item Details
Vulnerability Unquoted service path (local privilege escalation potential)
Affected software AnyDesk 7.0.15 (example disclosure dated 2024-04-01); pattern affects many services if misconfigured
Impact Local privilege escalation to SYSTEM if combined with writable intermediate paths
Primary mitigation Apply vendor update; quote ImagePath values; restrict write permissions to executable directories

References and Responsible Disclosure

  • Vendor: AnyDesk — https://anydesk.com
  • Disclosure example: reported 2024-04-01 by Milad Karimi (Ex3ptionaL)
  • Windows service configuration: HKLM\SYSTEM\CurrentControlSet\Services and sc.exe

If you discover an unquoted service path during assessment, prioritize remediation, registry backup, and safe validation. When in doubt, update the software to the vendor-published patched release and follow your organization's change-control procedures.