CVE-2022-24750 Overview
CVE-2022-24750 is a local privilege escalation vulnerability affecting UltraVNC, a free and open source remote PC access software. The vulnerability exists in the DSM plugin module, which allows a local authenticated user to achieve local privilege escalation (LPE) on vulnerable systems running UltraVNC versions prior to 1.3.8.0.
The root cause stems from insecure plugin loading behavior, where the DSM plugin module could be manipulated to load malicious DLLs from unintended directories. The vulnerability has been addressed in version 1.3.8.1 by restricting plugin loading to the installed directory only.
Critical Impact
A local authenticated attacker can exploit this vulnerability to escalate privileges to SYSTEM level when UltraVNC server is running as a Windows service, potentially gaining full control of the affected system.
Affected Products
- UltraVNC versions prior to 1.3.8.0
- UltraVNC server running as a Windows service
- Systems with DSM plugin module enabled
Discovery Timeline
- 2022-03-10 - CVE-2022-24750 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-24750
Vulnerability Analysis
This vulnerability is classified under CWE-269 (Improper Privilege Management), which occurs when an application does not properly assign, modify, track, or check privileges for an actor, leading to unintended access. In the case of CVE-2022-24750, the UltraVNC DSM plugin module fails to properly validate the source directory for plugin DLLs before loading them.
When UltraVNC server runs as a Windows service, it operates with elevated SYSTEM privileges. The DSM plugin loading mechanism did not restrict the search path for plugins, allowing an attacker who can write to certain directories to place a malicious DLL that would be loaded by the high-privilege service. This results in arbitrary code execution with SYSTEM privileges.
Root Cause
The vulnerability stems from improper path validation in the DSM plugin loading mechanism. Prior to the fix, UltraVNC would search for and load DSM plugin modules without restricting the search to the application's installed directory. This allowed a local attacker to place a malicious DLL in a directory where the application would search for plugins, effectively hijacking the plugin loading process.
The fix implemented in version 1.3.8.1 ensures that plugins can only be loaded from the installed directory, preventing DLL search order hijacking attacks.
Attack Vector
This is a local attack vector requiring authenticated access to the target system. The attacker must:
- Have local access to a system running UltraVNC server as a Windows service
- Be able to write files to a directory in the DLL search path
- Create a malicious DLL masquerading as a DSM plugin
- Trigger the UltraVNC service to load the malicious plugin
The security patch modifies the plugin loading behavior in winvnc/winvnc/vncproperties.cpp:
#include "vncConnDialog.h"
#include "Localization.h" // ACT : Add localization on messages
+#include "shlwapi.h"
//extern HINSTANCE g_hInst;
Source: GitHub Commit Details
The patch includes the shlwapi.h header, which provides shell path handling functions used to properly validate and restrict the plugin loading path to the installed directory.
Detection Methods for CVE-2022-24750
Indicators of Compromise
- Unexpected DLL files appearing in directories within the UltraVNC search path
- Unusual child processes spawned by WinVNC.exe service
- Suspicious file write operations to UltraVNC-related directories by low-privilege users
- Audit logs showing DLL loading from non-standard locations by the WinVNC service
Detection Strategies
- Monitor for DLL loading events associated with WinVNC.exe from directories outside the installed path
- Implement application whitelisting to detect unauthorized DLL loads
- Use endpoint detection and response (EDR) solutions to identify privilege escalation attempts
- Review Windows Security Event logs for suspicious service-related activities (Event IDs 4688, 7045)
Monitoring Recommendations
- Enable detailed process creation auditing on systems running UltraVNC
- Configure SentinelOne to alert on DLL sideloading attempts targeting remote access software
- Monitor file integrity in UltraVNC installation directories
- Track service configuration changes that might indicate exploitation attempts
How to Mitigate CVE-2022-24750
Immediate Actions Required
- Upgrade UltraVNC to version 1.3.8.1 or later immediately
- Audit systems for unauthorized DLL files in UltraVNC directories
- Review service configurations to identify unnecessary SYSTEM-level service deployments
- Implement least-privilege principles for remote access software deployment
Patch Information
The vulnerability has been fixed in UltraVNC version 1.3.8.1. The patch restricts plugin loading to the installed directory, preventing DLL search order hijacking. Organizations should upgrade all affected installations as soon as possible.
For detailed patch information, refer to the GitHub Commit Details and the GitHub Security Advisory.
Workarounds
- Do not install or run UltraVNC server as a Windows service if upgrading is not immediately possible
- Create a scheduled task on a low-privilege account to launch WinVNC.exe instead of running as a service
- Restrict write access to directories in the DLL search path used by UltraVNC
- Note: There are no known workarounds if WinVNC must be started as a service; upgrading is required
# Example: Create scheduled task to run WinVNC as low-privilege user
schtasks /create /tn "UltraVNC" /tr "C:\Program Files\UltraVNC\WinVNC.exe" /sc onlogon /ru LimitedUser
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
