| Title | UltraVNC 1.6.4.0 Uncontrolled Search Path-Privilege escalation with version.dll |
|---|
| Description | UltraVNC version x.x.x.x (32-bit/x86) insecurely loads the system library VERSION.DLL during the startup of the winvnc.exe service. Instead of explicitly loading the legitimate library from the Windows system directory, the application relies on the default Windows DLL search order.
During the service initialization process, winvnc.exe attempts to load VERSION.DLL from the application directory (the same directory where winvnc.exe resides) before checking the legitimate copy located in the Windows System32 directory. Because no secure loading mechanism is enforced, this behavior introduces a DLL Search Order Hijacking vulnerability.
An attacker with local access to the system can place a malicious version.dll in the same directory as winvnc.exe. When the UltraVNC service starts, Windows will prioritize loading the attacker-controlled DLL from the application directory due to the default DLL search order. As a result, the malicious DLL will be executed within the context of the UltraVNC process.
Additionally, this vulnerability may also be exploitable through social engineering techniques. For example, an attacker could trick a user into extracting or placing a crafted version.dll file into the UltraVNC installation directory (e.g., via a compressed archive, software package, or file-sharing scenario). Once the service or application is started, the malicious DLL would be loaded automatically, resulting in execution of attacker-controlled code.
If the application is executed with elevated privileges (for example, when the user runs the application using Run as Administrator or when the service runs with elevated permissions), the attacker-supplied DLL will execute with the same privilege level. This could allow an attacker to perform actions such as establishing a reverse shell, installing persistence mechanisms, or conducting further post-exploitation activities on the system.
Proof of Concept:
1. Create a malicious version.dll containing attacker-controlled code.
2. Place the malicious version.dll in the same directory as winvnc.exe.
3. Start or restart the UltraVNC service (winvnc.exe).
4. The malicious DLL will be loaded instead of the legitimate system library.
Impact:
Successful exploitation allows arbitrary code execution in the context of the UltraVNC process, potentially leading to privilege escalation if the service or application is executed with elevated privileges.
PoC Demonstration:
The attached Proof-of-Concept (PoC) video demonstrates the full exploitation workflow of the DLL hijacking vulnerability in two scenarios:
1. Exploitation when the application is executed under a standard user context, resulting in a reverse shell with user-level privileges.
2. Exploitation when the application is executed using Run as Administrator, resulting in a reverse shell with elevated privileges on the victim machine. |
|---|
| Source | ⚠️ https://drive.google.com/file/d/1QC-MrqGsfjr4phEN77krLFZHQN8S48U_/view |
|---|
| User | haehanse (UID 95883) |
|---|
| Submission | 03/11/2026 14:14 (19 days ago) |
|---|
| Moderation | 03/27/2026 09:13 (16 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 353839 [UltraVNC up to 1.6.4.0 Service version.dll uncontrolled search path] |
|---|
| Points | 20 |
|---|