| 제목 | UltraVNC 1.6.4.0 Uncontrolled Search Path |
|---|
| 설명 | UltraVNC version x.x.x.x (32-bit/x86) fails to securely load the system DLL "cryptbase.dll" by using a relative path or relying on the default Windows DLL search order without mitigation. This allows an attacker with local access to place a malicious cryptbase.dll in a directory that precedes the legitimate System32 path in the search order (such as the application's installation directory, current working directory, or a user-writable location alongside the UltraVNC service executable).
When the vulnerable UltraVNC service (winvnc.exe) loads cryptbase.dll, the malicious DLL is executed in the context of the service process. If the service runs with elevated privileges (SYSTEM or high-integrity, common for VNC servers installed as a service), this results in arbitrary code execution with SYSTEM privileges, enabling actions such as establishing a reverse shell to the attacker's machine, installing persistence mechanisms, or performing further privilege escalation and lateral movement. |
|---|
| 원천 | ⚠️ https://drive.google.com/file/d/14ixv_1i4D2VrZWyl4RKsvFcN1AMF_qNx/view |
|---|
| 사용자 | haehanse (UID 95883) |
|---|
| 제출 | 2026. 02. 25. AM 10:28 (1 월 ago) |
|---|
| 모더레이션 | 2026. 03. 08. AM 08:11 (11 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 349754 [UltraVNC 1.6.4.0 켜짐 Windows Windows Service cryptbase.dll 권한 상승] |
|---|
| 포인트들 | 20 |
|---|