UltraVNC Uncontrolled Search Path Vulnerability in cryptbase.dll

A vulnerability exists in UltraVNC version 1.6.4.0 on Windows, specifically within the Windows Service component that utilizes the cryptbase.dll library. This vulnerability arises from an uncontrolled search path issue, allowing local attackers to manipulate the DLL loading process. The exploitation of this vulnerability could lead to arbitrary code execution, particularly if the UltraVNC service is running with elevated privileges.

Impact

Exploitation of this vulnerability allows for arbitrary code execution with SYSTEM privileges, potentially leading to actions such as establishing a reverse shell, installing persistence mechanisms, or further privilege escalation and lateral movement.

Reproduction

To reproduce this vulnerability, a local attacker must place a malicious version of cryptbase.dll in a directory that is searched before the legitimate System32 path. This can be done by placing the DLL in the UltraVNC installation directory, the current working directory, or any user-writable location alongside the UltraVNC service executable. Once the malicious DLL is in place, the vulnerable UltraVNC service (winvnc.exe) can be started, which will load the cryptbase.dll file. The malicious code in the DLL will then be executed in the context of the UltraVNC service process.