The "UltraVNC DSMPlugin LPE Vulnerability" refers to a security flaw in UltraVNC, a popular remote desktop software. This vulnerability specifically impacts the DSM (Data Stream Modification) Plugin of UltraVNC. LPE stands for Local Privilege Escalation, which means that this vulnerability could allow an attacker who already has access to the system (albeit with limited privileges) to gain higher-level access or control over the system. Such vulnerabilities are critical because they can be exploited to compromise system integrity, confidentiality, and availability, especially in environments where UltraVNC is used for remote administration. The exact technical details of the vulnerability would typically include information about how the flaw can be exploited, the conditions required for exploitation, and potential impact if left unaddressed.
2. UltraVNC
Installed as a SYSTEM service
Always have 2 processes running with SYSTEM privilege.
1. Service running in session 0
2. GUI app running in user logged on session (session 2 in my scenario)
2
4. Vulnerability Details
● A vulnerability has been found in the DSMPlugin module, which allows a local authenticated user to
achieve local privilege escalation (LPE) on a vulnerable system.
● Affects ALL UltraVNC <= 1.3.8
● The DSMPlugin module is responsible for loading a plugin to encrypt VNC sessions
4
5. Some known issues on DSMPlugin module
Source: Howto add encryption - UltraVNC VNC OFFICIAL SITE, Remote Desktop Free Opensource (uvnc.com)
If you load a plugin that is not compatible with your windows OS architecture (e.g. 32/64-bits),
an error will be thrown.
5
6. Other ways of triggering error message
Input a non-existing plugin (SecurVNCPlugin64.dsm) and click “Config”
6
7. Using Procmon to understand what happened
Windows DLL Search Order pattern even when we are searching for .dsm extension
1. Application Directory
2. System Directory
3. 16-bit System
Directory
4. Windows Directory
5. Current Directory*
6. Directories listed in the
PATH variable
*Because the process is running as SYSTEM, the current directory becomes
C:WindowsSystem32 7
12. Code Analysis
Before the pop-up appears, it check whether the plugin is loaded. If not, Load the plugin first
winvncvncproperties.cpp
12
13. Code Analysis - Vulnerable Code
DSMPluginDSMPlugin.cpp
Tracing into the GetDSMPluginPointer()->LoadPlugin() function
The LoadLibrary() at line 379 loads a
DLL in the process running as
SYSTEM. There is no prior check for
the path, which allows any DLL to be
loaded.
The LoadLibrary at line 393 loads a
DLL from the fully qualified path for
the file that contains the specified
module. (Because we are using
GetModuleFileName() API, it will
differ from the Windows Search
Order’s Current Directory)
13