AnyDesk 9.0.1 - Unquoted Service Path

AnyDesk 9.0.1 — Unquoted Service Path (Local Privilege Escalation Risk)

Overview

AnyDesk 9.0.1 installs a persistent Windows service that, in the reported configuration, uses an unquoted service binary path while running as LocalSystem. An unquoted service binary path is a well-known Windows configuration weakness that can allow a local, authorized (but non‑privileged) user to influence which executable is launched by the service under certain conditions. That influence may lead to privilege escalation when the service runs as SYSTEM.

Technical details

The core of the issue is an ImagePath (the service BINARY_PATH_NAME) that contains spaces but is not wrapped in quotation marks. When Windows parses the ImagePath to launch the service binary, the lack of quotes can cause the OS to interpret the path segments incorrectly and potentially load an executable located in a different (and writable) location.

 C:\>sc qc anydesk --service
 [SC] QueryServiceConfig SUCCESS

 SERVICE_NAME: anydesk
     TYPE               : 10  WIN32_OWN_PROCESS
     START_TYPE         : 2   AUTO_START
     ERROR_CONTROL      : 1   NORMAL
     BINARY_PATH_NAME   : "C:\Program Files (x86)\AnyDesk\AnyDesk.exe"
                         --service
     LOAD_ORDER_GROUP   :
     TAG                : 0
     DISPLAY_NAME       : AnyDesk Service
     DEPENDENCIES       : RpcSs
     SERVICE_START_NAME : LocalSystem

Explanation: This sample shows the service configuration returned by sc qc. The BINARY_PATH_NAME field is how the service is launched. In this example it appears quoted, but other installations or variants can exhibit an unquoted path. The important check is whether the registry ImagePath contains properly quoted string(s) in all cases.

Why an unquoted service path matters

• An unquoted path that contains one or more spaces can allow Windows to resolve and execute a different file than the administrator intended.
• If a low‑privileged user can write or create files in a directory that Windows attempts to search when resolving the path, they may cause the system to execute their chosen file with the elevated context of the service (often SYSTEM).
• Unquoted service paths are a local privilege escalation (LPE) weakness — not a remote code execution on their own — but they are valuable to attackers who already have local access to a system.

Detection and verification (safe, defensive checks)

Check installed services for unquoted ImagePath entries that contain spaces. The following PowerShell snippet is a defensive audit you can run as an administrator to identify potentially vulnerable services on a host:

Get-WmiObject win32_service |
  Select-Object Name, DisplayName, StartName, PathName |
  Where-Object { $_.PathName -and ($_.PathName -match '\s') -and ($_.PathName -notmatch '^\s*".*"$') } |
  Format-Table -AutoSize

Explanation: This PowerShell command: - Enumerates services via WMI (win32_service). - Selects key fields: Name, DisplayName, StartName (account), PathName (ImagePath). - Filters entries that have a PathName containing whitespace AND that do not appear to be fully quoted. - Presents results in a table for human review. This is a defensive detection technique intended to help administrators locate candidate services that need remediation.

Remediation and mitigation

• Update: First, check for and apply vendor updates. If AnyDesk has released a fixed version after 9.0.1, upgrade to the vendor-provided patched release.
• Quote the service ImagePath: Ensure the service ImagePath is wrapped in quotes. This prevents the path parser from splitting the string on spaces. For example, the ImagePath should look like:

  "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service

  Explanation: Quoting the full executable path removes ambiguity when Windows parses the command line used to start the service. Changes to service configuration require administrative privileges and should be performed using approved change control.

• Harden file-system permissions: Ensure that directories in the service path (for example, "C:\Program Files (x86)\AnyDesk\ ") are not writable by non‑privileged users. The Program Files locations should typically allow only SYSTEM and Administrators write access.
• Lock down service configuration: Restrict access to the service registry keys and the service object so unprivileged users cannot alter ImagePath or service parameters. Typical keys are under HKLM\SYSTEM\CurrentControlSet\Services\.
• Use proper process isolation: Avoid running services as LocalSystem unless required. If possible, configure services to run under the least‑privileged accounts necessary.
• Document and patch management: Add a process to periodically scan services for unquoted paths and other common misconfigurations as part of your system hardening routine.

How to safely apply a fix (administrative example)

As an administrator, you can update the service ImagePath to include proper quoting. Administrative tools include the Services MMC, registry editing, or administrative command-line utilities. Any change to a service should follow organizational change control and backup practices.

sc config anydesk binPath= "\"C:\Program Files (x86)\AnyDesk\AnyDesk.exe\" --service"

Explanation: The example shows how the Microsoft Service Controller (sc) could be used to set the binPath to a properly quoted path. Note: this command must be run from an elevated prompt. Always validate with a backup or test system and confirm the syntax and behavior before applying in production.

Post-remediation validation

• After applying fixes, re-run the detection script to confirm there are no remaining unquoted ImagePath entries for services running as high‑privilege accounts.
• Confirm directory and file ACLs prevent non‑administrative users from creating executables in service directories.
• Restart the service and verify functionality; check Windows Event Log and AnyDesk logs to ensure normal operation.

Risk assessment and prioritization

Aspect	Details
Impact	Local privilege escalation to SYSTEM if exploit conditions are met (local write access to candidate directories).
Complexity	Requires local authenticated access and suitable file-system permissions; not a remote network exploit in isolation.
Likelihood	Higher on poorly hardened systems where program directories are writable by standard users.

Expert recommendations & best practices

• Maintain a central inventory of services and their ImagePath values across your environment and scan for common misconfigurations automatically.
• Use least‑privilege principles for service accounts; avoid SYSTEM when alternatives suffice.
• Harden workstations and servers so non‑admin users cannot write to Program Files locations or service directories.
• Apply vendor updates and monitor vendor advisories for AnyDesk and other third‑party software that install services.

References and further reading

• Microsoft guidance and documentation on Windows service configuration and security practices (search official Microsoft docs for service hardening and ImagePath handling).
• General hardening recommendations for Windows services and file-system ACLs.