Datto Remote Monitoring and Management Local Privilege Escalation

Product Datto Remote Monitoring and Management
Severity Medium
CVE Reference
Type Incorrect Permission Assignment for Critical Resource, Default credentials

Description

Datto Remote Monitoring and Management uses UltraVNC to provide a remote takeover functionality. This functionality can be used locally to hijack desktop session of users.

Datto Remote Monitoring and Management UltraVNC service is configured to listen on localhost only. However any local user can initiate the connection. The VNC connection default password is "password".

A malicious local user can hijack the desktop session of the other user logged on the same machine. The victim can be logged in either locally or via the Datto RMM "Remote Takeover (VNC)" option.

The attacker is able to execute code with the privileges of the victim user.

Technical Details

The following vulnerabilities contribute to the privilege escalation:

1. CWE-732: Incorrect Permission Assignment for Critical Resource

Datto Remote Monitoring and Management fails to restrict access to the ultravnc.ini and Gui.exe.config files. Any local user is able to access these files and determine the VNC password in use.

2. CWE-16: Default VNC credentials

Datto Remote Monitoring and Management agent by default uses VNC password "password" to access the VNC server. While it is possible to change this password, this does not prevent non-privileged users from discovering the currently used password.

The discovered vulnerability, enables the attack described here in brief.

1. The attacker creates a payload that identifies when the administrator user has logged in to the system. Once this condition is identified the payload initiates a VNC connection to localhost to perform malicious actions, such as dropping a powershell script and executing it with the privileges of the logged in user.

2. The attacker prompts the administrator user to log in. This can be achieved by using social engineering or other methods such as filing a support ticket.

3. Once the Adminitrator logs on, the malicious payload described in step 1 activates and performs actions as the administrator user, completing the attack.

Exploitation steps

In this scenario there are two local users: the regular (unprivileged) user and a local administrator user. The attacker (the regular unprivileged user) performs the following steps:
  1. Download vncsnapshot-1.2a-win32.zip from https://sourceforge.net/projects/vncsnapshot/files/vncsnapshot/1.2a/vncsnapshot-1_2a-win32.zip/download
  2. Extract the vncsnapshot-1.2a-win32.zip archive to “Downloads\vncsnapshot-1.2a”
  3. In a command prompt “cd Downloads\vncsnapshot-1.2a”
  4. Execute vncpasswd pass.bin
  5. Enter “password” twice (without quotes)
  6. Open notepad and create a file with:
@echo off
cd “C:\Users\yourusername\Downloads\vncsnapshot-1.2a”
vncsnapshot.exe -passwd pass.bin 127.0.0.1 pwned.jpg
  1. Save the file as C:\Users\yourusername\Desktop\poc.bat
  2. Open “Task Scheduler”
  3. Select “Create Task...”
  4. Give the task a name, for example “vnc poc”
  5. In “Triggers” tab, select “New…”
  6. On “Advanced settings” select “Repeat task every:” and select “5 minutes” and “Indefinitely”
  7. Click “Ok”
  8. In “Actions” tab click “New…”
  9. “Browse…” and select the “C:\Users\yourusername\Desktop\poc.bat”
  10. Click “Ok”
  11. In “Conditions” tab unselect “Start the task only if the computer is on AC power”
  12. Click “Ok”
  13. Enter current user password if/when prompted
The proof of concept exploit has been set up now. Next:
  1. Switch user and log on as admin user
  2. Wait for 6 minutes on the admin desktop
  3. Switch back to the low privileged user
  4. Check C:\Users\yourusername\Downloads\vncsnapshot-1.2a\pwned.jpg for a screenshot of the admin’s desktop.

It should be noted that this PoC is a bit off with the timing: You might get a screenshot of the user’s own desktop if you’re unlucky. This is a restriction of this PoC alone, a real attack would use alternate exploitation methods. Note that the exploit could perform any action as the administrator user over the VNC. These actions would need to be scripted to perform operations over the emulated keyboard and mouse, such as opening the cmd.exe or powershell.exe to inject malicious scripts / commands. A simpler exploit would be to add a new local admin user that the attacker could then use once successfully created. 

Remedial Action

Upgrade to the Datto Remote Monitoring and Management version 9.2.0 or later and opt to not use VNC in the environment.

If no upgrade is possible for some reason you can try disabling the "uvnc_service" manually as a mitigation.

Acknowledgements

A somewhat similar vulnerability was reported to Datto earlier by Michael Jones / Inevat.

Timeline

22/12/2020 Discovered the vulnerability
23/12/2020 Wrote the first draft of this advisory
24/12/2020 Reported the vulnerability via Datto's VDP
28/12/2020 Datto indicated that the issue was already previously reported. Requested details about expected disclosure date
01/02/2021 Datto RRM 9.1.0 release with "Remove Datto RMM UltraVNC Service Monitor": "Monitor to disable Datto RMM's VNC implementation for those who prefer not to use it. Presented as an option."
17/2/2021 Datto RRM 9.2.0 announced with "VNC management settings": "We have added the ability to control whether VNC is installed on Datto RMM devices. This can be controlled in Account Settings or on a per-site basis, providing flexibility when VNC is not desired in certain client environments."
26/2/2021 Again requested details of the coordinated disclosure timeline and CVE
assignment
8/3/2021 Provided a proof of concept exploit to Datto as requested
10/3/2021 Datto confirmed the vulnerability with CVSS score 7.3 (High)
17/5/2021 Public disclosure