| 标题 | UltraVNC 1.6.4.0 Uncontrolled Search Path |
|---|
| 描述 | UltraVNC version x.x.x.x (32-bit/x86) fails to securely load the system DLL "cryptbase.dll" by using a relative path or relying on the default Windows DLL search order without mitigation. This allows an attacker with local access to place a malicious cryptbase.dll in a directory that precedes the legitimate System32 path in the search order (such as the application's installation directory, current working directory, or a user-writable location alongside the UltraVNC service executable).
When the vulnerable UltraVNC service (winvnc.exe) loads cryptbase.dll, the malicious DLL is executed in the context of the service process. If the service runs with elevated privileges (SYSTEM or high-integrity, common for VNC servers installed as a service), this results in arbitrary code execution with SYSTEM privileges, enabling actions such as establishing a reverse shell to the attacker's machine, installing persistence mechanisms, or performing further privilege escalation and lateral movement. |
|---|
| 来源 | ⚠️ https://drive.google.com/file/d/14ixv_1i4D2VrZWyl4RKsvFcN1AMF_qNx/view |
|---|
| 用户 | haehanse (UID 95883) |
|---|
| 提交 | 2026-02-25 10時28分 (1 月前) |
|---|
| 管理 | 2026-03-08 08時11分 (11 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 349754 [UltraVNC 1.6.4.0 于 Windows Windows Service cryptbase.dll 权限提升] |
|---|
| 积分 | 20 |
|---|