The "UltraVNC DSMPlugin LPE Vulnerability" refers to a security flaw in UltraVNC, a popular remote desktop software. This vulnerability specifically impacts the DSM (Data Stream Modification) Plugin of UltraVNC. LPE stands for Local Privilege Escalation, which means that this vulnerability could allow an attacker who already has access to the system (albeit with limited privileges) to gain higher-level access or control over the system. Such vulnerabilities are critical because they can be exploited to compromise system integrity, confidentiality, and availability, especially in environments where UltraVNC is used for remote administration. The exact technical details of the vulnerability would typically include information about how the flaw can be exploited, the conditions required for exploitation, and potential impact if left unaddressed.

1. UltraVNC DSMPlugin
Vulnerability
Leading to Local Privilege Escalation
(CVE-2022-24750)
Disclosed by: Jing Qiang
Patched by: Rudi De Vos

2. UltraVNC
Installed as a SYSTEM service
Always have 2 processes running with SYSTEM privilege.
1. Service running in session 0
2. GUI app running in user logged on session (session 2 in my scenario)
2

3. GUI app
Trayicon to allows admins to adjust VNC configurations
3

4. Vulnerability Details
● A vulnerability has been found in the DSMPlugin module, which allows a local authenticated user to
achieve local privilege escalation (LPE) on a vulnerable system.
● Affects ALL UltraVNC <= 1.3.8
● The DSMPlugin module is responsible for loading a plugin to encrypt VNC sessions
4

5. Some known issues on DSMPlugin module
Source: Howto add encryption - UltraVNC VNC OFFICIAL SITE, Remote Desktop Free Opensource (uvnc.com)
If you load a plugin that is not compatible with your windows OS architecture (e.g. 32/64-bits),
an error will be thrown.
5

6. Other ways of triggering error message
Input a non-existing plugin (SecurVNCPlugin64.dsm) and click “Config”
6

7. Using Procmon to understand what happened
Windows DLL Search Order pattern even when we are searching for .dsm extension
1. Application Directory
2. System Directory
3. 16-bit System
Directory
4. Windows Directory
5. Current Directory*
6. Directories listed in the
PATH variable
*Because the process is running as SYSTEM, the current directory becomes
C:WindowsSystem32 7

8. Input without extensions
If no extension is provided, it will auto append .DLL and try to load it
8

9. What About Directory Traversal?
Looks like we can load a DLL outside of the installed directory
9

10. Exploitation
Demo: UltraVNC DSMPlugin Privilege Escalation - YouTube
Loading malicious DLL to gain SYSTEM privilege
10

11. Code Analysis
Tracing the code to error message
winvncLocalization.h
winvncvncproperties.cpp
11

12. Code Analysis
Before the pop-up appears, it check whether the plugin is loaded. If not, Load the plugin first
winvncvncproperties.cpp
12

13. Code Analysis - Vulnerable Code
DSMPluginDSMPlugin.cpp
Tracing into the GetDSMPluginPointer()->LoadPlugin() function
The LoadLibrary() at line 379 loads a
DLL in the process running as
SYSTEM. There is no prior check for
the path, which allows any DLL to be
loaded.
The LoadLibrary at line 393 loads a
DLL from the fully qualified path for
the file that contains the specified
module. (Because we are using
GetModuleFileName() API, it will
differ from the Windows Search
Order’s Current Directory)
13