← Signals
- anydesk
- lpe
- com
- windows
- exploitarium
news
AnyDesk 9.7.6 Printer Pipe COM Impersonation LPE
AnyDesk printer worker unmarshals attacker COM bytes on the adprinterpipe named pipe with RPC_C_IMP_LEVEL_IMPERSONATE — SYSTEM when installed as service.
Summary
AnyDesk printer worker unmarshals attacker COM bytes on the adprinterpipe named pipe with RPC_C_IMP_LEVEL_IMPERSONATE — SYSTEM when installed as service. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.
Key Findings
| Finding | Detail |
|---|---|
| Product / target | AnyDesk for Windows 9.7.6 |
| Primitive | Named pipe + CoUnmarshalInterface(IStream::Read) impersonation |
| Impact | Low-privileged local user → AnyDesk service identity (default LocalSystem on service install). |
Attack Chain
Connect adprinterpipe → send marshaled IStream → callback impersonates service during Read
Mitigation
Restrict pipe ACL; validate COM caller; run service under least-privilege account.
Related Signals
- Exploitarium collection
- systeminformer phsvc trusted host lpe poc
- openvpn connect echo script ace poc