UltraVNC Uncontrolled Search Path Vulnerability in Service Component Version.dll

A vulnerability exists in UltraVNC versions prior to 1.6.4.0, specifically within the Service component's library version.dll. This flaw allows for an uncontrolled search path, leading to a DLL search order hijacking vulnerability. The application improperly loads the system library VERSION.DLL during the startup of the winvnc.exe service, relying on the default Windows DLL search order. An attacker with local access can place a malicious version.dll in the same directory as winvnc.exe. When the UltraVNC service starts, the malicious DLL is loaded and executed within the context of the UltraVNC process. This vulnerability could also be exploited through social engineering techniques, such as tricking a user into placing a crafted version.dll file into the UltraVNC installation directory.

Impact

Exploitation of this vulnerability allows arbitrary code execution within the UltraVNC process, potentially leading to privilege escalation if the service is running with elevated permissions.

Reproduction

To reproduce this vulnerability, create a malicious version.dll file containing attacker-controlled code and place it in the same directory as winvnc.exe. Then, start or restart the UltraVNC service. The malicious DLL will be loaded instead of the legitimate one, executing the embedded code. This vulnerability can also be reproduced by using social engineering to convince a user to place the malicious DLL in the UltraVNC installation directory.