Product | Datto Remote Monitoring and Management |
Severity | Medium |
CVE Reference | |
Type | Incorrect Permission Assignment for Critical Resource, Default credentials |
Datto Remote Monitoring and Management uses UltraVNC to provide a remote takeover functionality. This functionality can be used locally to hijack desktop session of users.
Datto Remote Monitoring and Management UltraVNC service is configured to listen on localhost only. However any local user can initiate the connection. The VNC connection default password is "password".
A malicious local user can hijack the desktop session of the other user logged on the same machine. The victim can be logged in either locally or via the Datto RMM "Remote Takeover (VNC)" option.
The attacker is able to execute code with the privileges of the victim user.
The following vulnerabilities contribute to the privilege escalation:
1. CWE-732: Incorrect Permission Assignment for Critical Resource
Datto Remote Monitoring and Management fails to restrict access to the ultravnc.ini and Gui.exe.config files. Any local user is able to access these files and determine the VNC password in use.
2. CWE-16: Default VNC credentials
Datto Remote Monitoring and Management agent by default uses VNC password "password" to access the VNC server. While it is possible to change this password, this does not prevent non-privileged users from discovering the currently used password.
The discovered vulnerability, enables the attack described here in brief.
1. The attacker creates a payload that identifies when the administrator user has logged in to the system. Once this condition is identified the payload initiates a VNC connection to localhost to perform malicious actions, such as dropping a powershell script and executing it with the privileges of the logged in user.
2. The attacker prompts the administrator user to log in. This can be achieved by using social engineering or other methods such as filing a support ticket.
3. Once the Adminitrator logs on, the malicious payload described in step 1 activates and performs actions as the administrator user, completing the attack.
@echo off
cd “C:\Users\yourusername\Downloads\vncsnapshot-1.2a”
vncsnapshot.exe -passwd pass.bin 127.0.0.1 pwned.jpg
It should be noted that this PoC is a bit off with the timing: You might get a screenshot of the user’s own desktop if you’re unlucky. This is a restriction of this PoC alone, a real attack would use alternate exploitation methods. Note that the exploit could perform any action as the administrator user over the VNC. These actions would need to be scripted to perform operations over the emulated keyboard and mouse, such as opening the cmd.exe or powershell.exe to inject malicious scripts / commands. A simpler exploit would be to add a new local admin user that the attacker could then use once successfully created.
Upgrade to the Datto Remote Monitoring and Management version 9.2.0 or later and opt to not use VNC in the environment.
If no upgrade is possible for some reason you can try disabling the "uvnc_service" manually as a mitigation.
A somewhat similar vulnerability was reported to Datto earlier by Michael Jones / Inevat.
22/12/2020 | Discovered the vulnerability |
23/12/2020 | Wrote the first draft of this advisory |
24/12/2020 | Reported the vulnerability via Datto's VDP |
28/12/2020 | Datto indicated that the issue was already previously reported. Requested details about expected disclosure date |
01/02/2021 | Datto RRM 9.1.0 release with "Remove Datto RMM UltraVNC Service Monitor": "Monitor to disable Datto RMM's VNC implementation for those who prefer not to use it. Presented as an option." |
17/2/2021 | Datto RRM 9.2.0 announced with "VNC management settings": "We have added the ability to control whether VNC is installed on Datto RMM devices. This can be controlled in Account Settings or on a per-site basis, providing flexibility when VNC is not desired in certain client environments." |
26/2/2021 | Again requested details of the coordinated disclosure timeline and CVE assignment |
8/3/2021 | Provided a proof of concept exploit to Datto as requested |
10/3/2021 | Datto confirmed the vulnerability with CVSS score 7.3 (High) |
17/5/2021 | Public disclosure |