Datto Remote Monitoring and Management Local Privilege Escalation
Datto Remote Monitoring and Management uses UltraVNC to provide a remote takeover functionality. This functionality can be used locally to hijack desktop session of users.
Datto Remote Monitoring and Management UltraVNC service is configured to listen on localhost only. However any local user can initiate the connection. The VNC connection default password is "password".
A malicious local user can hijack the desktop session of the other user logged on the same machine. The victim can be logged in either locally or via the Datto RMM "Remote Takeover (VNC)" option.
The attacker is able to execute code with the privileges of the victim user.
The following vulnerabilities contribute to the privilege escalation:
1. CWE-732: Incorrect Permission Assignment for Critical Resource
Datto Remote Monitoring and Management fails to restrict access to the ultravnc.ini and Gui.exe.config files. Any local user is able to access these files and determine the VNC password in use.
2. CWE-16: Default VNC credentials
Datto Remote Monitoring and Management agent by default uses VNC password "password" to access the VNC server. While it is possible to change this password, this does not prevent non-privileged users from discovering the currently used password.
The discovered vulnerability, enables the attack described here in brief.
1. The attacker creates a payload that identifies when the administrator user has logged in to the system. Once this condition is identified the payload initiates a VNC connection to localhost to perform malicious actions, such as dropping a powershell script and executing it with the privileges of the logged in user.
2. The attacker prompts the administrator user to log in. This can be achieved by using social engineering or other methods such as filing a support ticket.
3. Once the Adminitrator logs on, the malicious payload described in step 1 activates and performs actions as the administrator user, completing the attack.
In this scenario there are two local users: the regular (unprivileged) user and a local administrator user. The attacker (the regular unprivileged user) performs the following steps:
- Download vncsnapshot-1.2a-win32.zip from https://sourceforge.net/projects/vncsnapshot/files/vncsnapshot/1.2a/vncsnapshot-1_2a-win32.zip/download
- Extract the vncsnapshot-1.2a-win32.zip archive to “Downloads\vncsnapshot-1.2a”
- In a command prompt “cd Downloads\vncsnapshot-1.2a”
- Execute vncpasswd pass.bin
- Enter “password” twice (without quotes)
- Open notepad and create a file with:
vncsnapshot.exe -passwd pass.bin 127.0.0.1 pwned.jpg
- Save the file as C:\Users\yourusername\Desktop\poc.bat
- Open “Task Scheduler”
- Select “Create Task...”
- Give the task a name, for example “vnc poc”
- In “Triggers” tab, select “New…”
- On “Advanced settings” select “Repeat task every:” and select “5 minutes” and “Indefinitely”
- Click “Ok”
- In “Actions” tab click “New…”
- “Browse…” and select the “C:\Users\yourusername\Desktop\poc.bat”
- Click “Ok”
- In “Conditions” tab unselect “Start the task only if the computer is on AC power”
- Click “Ok”
- Enter current user password if/when prompted
The proof of concept exploit has been set up now. Next:
- Switch user and log on as admin user
- Wait for 6 minutes on the admin desktop
- Switch back to the low privileged user
- Check C:\Users\yourusername\Downloads\vncsnapshot-1.2a\pwned.jpg for a screenshot of the admin’s desktop.
It should be noted that this PoC is a bit off with the timing: You might get a screenshot of the user’s own desktop if you’re unlucky. This is a restriction of this PoC alone, a real attack would use alternate exploitation methods. Note that the exploit could perform any action as the administrator user over the VNC. These actions would need to be scripted to perform operations over the emulated keyboard and mouse, such as opening the cmd.exe or powershell.exe to inject malicious scripts / commands. A simpler exploit would be to add a new local admin user that the attacker could then use once successfully created.