SonicWall NetExtender 10.2.0.300 Unquoted Service Path

SonicWall NetExtender 10.2.0.300 Unquoted Service Path: Posted Aug 17, 2021; Authored by shinnai; SonicWall NetExtender version 10.2.0.300 suffers from an unquoted service path vulnerability.; tags | exploit; advisories | CVE-2020-5147; SHA-256 | ec168adb408da09adcb5e7862e076b884d3773957bfa67dd254e524ff4dff3ce; Download | Favorite | View

SonicWall NetExtender 10.2.0.300 Unquoted Service Path

# Exploit Title: SonicWall NetExtender 10.2.0.300 -  Unquoted Service Path
# Exploit Author: shinnai
# Software Link: https://www.sonicwall.com/products/remote-access/vpn-clients/
# Version: 10.2.0.300
# Tested On: Windows
# CVE: CVE-2020-5147

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Title: SonicWall NetExtender windows client unquoted service path 
vulnerability
Vers.: 10.2.0.300
Down.: https://www.sonicwall.com/products/remote-access/vpn-clients/

Advisory: 
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0023
CVE ID: CVE-2020-5147 (https://nvd.nist.gov/vuln/detail/CVE-2020-5147)

URLs:
https://besteffortteam.it/sonicwall-netextender-windows-client-unquoted-service-path-vulnerability/
https://shinnai.altervista.org/exploits/SH-029-20210109.html

Desc.:
SonicWall NetExtender Windows client vulnerable to unquoted service path 
vulnerability, this allows a local attacker to gain elevated privileges 
in the host operating system.
This vulnerability impact SonicWall NetExtender Windows client version 
10.2.300 and earlier.

Poc:

C:\>sc qc sonicwall_client_protection_svc
[SC] QueryServiceConfig OPERAZIONI RIUSCITE
NOME_SERVIZIO: sonicwall_client_protection_svc
         TIPO                      : 10  WIN32_OWN_PROCESS
         TIPO_AVVIO                : 2   AUTO_START
         CONTROLLO_ERRORE          : 1   NORMAL
         NOME_PERCORSO_BINARIO     : C:\Program Files\SonicWall\Client 
Protection Service\SonicWallClientProtectionService.exe <-- Unquoted 
Service Path Vulnerability
         GRUPPO_ORDINE_CARICAMENTO :
         TAG                       : 0
         NOME_VISUALIZZATO         : SonicWall Client Protection Service
         DIPENDENZE                :
         SERVICE_START_NAME : LocalSystem
C:\>

----------------------------------------------------------------------------------------------------------------------------------------------------------------------

C:\>wmic service get name,displayname,pathname,startmode |findstr /i 
"auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
SonicWall Client Protection Service                              
sonicwall_client_protection_svc  C:\Program Files\SonicWall\Client 
Protection Service\SonicWallClientProtectionService.exe      Auto

C:\>
----------------------------------------------------------------------------------------------------------------------------------------------------------------------

Top Authors In Last 30 Days

Red Hat 194 files
Ubuntu 67 files
Debian 24 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
malvuln 4 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,011)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,194)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,473)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,437)
UNIX (9,390)
UnixWare (187)
Windows (6,649)
Other

SonicWall NetExtender 10.2.0.300 Unquoted Service Path

SonicWall NetExtender 10.2.0.300 Unquoted Service Path

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

SonicWall NetExtender 10.2.0.300 Unquoted Service Path

Share This

SonicWall NetExtender 10.2.0.300 Unquoted Service Path

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems