Lucene search

Shinnai1337DAY-ID-36653

HistoryAug 17, 2021 - 12:00 a.m.

SonicWall NetExtender 10.2.0.300 - Unquoted Service Path Vulnerability

2021-08-1700:00:00

shinnai

0day.today

sonicwall

netextender

windows client

unquoted service path

vulnerability

elevated privileges

CVSS2

4.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS3

5.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS

0.001

Percentile

24.1%

JSON

# Exploit Title: SonicWall NetExtender 10.2.0.300 -  Unquoted Service Path
# Exploit Author: shinnai
# Software Link: https://www.sonicwall.com/products/remote-access/vpn-clients/
# Version: 10.2.0.300
# Tested On: Windows
# CVE: CVE-2020-5147

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Title: SonicWall NetExtender windows client unquoted service path 
vulnerability
Vers.: 10.2.0.300
Down.: https://www.sonicwall.com/products/remote-access/vpn-clients/

Advisory: 
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0023
CVE ID: CVE-2020-5147 (https://nvd.nist.gov/vuln/detail/CVE-2020-5147)

URLs:
https://besteffortteam.it/sonicwall-netextender-windows-client-unquoted-service-path-vulnerability/
https://shinnai.altervista.org/exploits/SH-029-20210109.html

Desc.:
SonicWall NetExtender Windows client vulnerable to unquoted service path 
vulnerability, this allows a local attacker to gain elevated privileges 
in the host operating system.
This vulnerability impact SonicWall NetExtender Windows client version 
10.2.300 and earlier.

Poc:

C:\>sc qc sonicwall_client_protection_svc
[SC] QueryServiceConfig OPERAZIONI RIUSCITE
NOME_SERVIZIO: sonicwall_client_protection_svc
         TIPO                      : 10  WIN32_OWN_PROCESS
         TIPO_AVVIO                : 2   AUTO_START
         CONTROLLO_ERRORE          : 1   NORMAL
         NOME_PERCORSO_BINARIO     : C:\Program Files\SonicWall\Client 
Protection Service\SonicWallClientProtectionService.exe <-- Unquoted 
Service Path Vulnerability
         GRUPPO_ORDINE_CARICAMENTO :
         TAG                       : 0
         NOME_VISUALIZZATO         : SonicWall Client Protection Service
         DIPENDENZE                :
         SERVICE_START_NAME : LocalSystem
C:\>

----------------------------------------------------------------------------------------------------------------------------------------------------------------------

C:\>wmic service get name,displayname,pathname,startmode |findstr /i 
"auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
SonicWall Client Protection Service                              
sonicwall_client_protection_svc  C:\Program Files\SonicWall\Client 
Protection Service\SonicWallClientProtectionService.exe      Auto

C:\>
----------------------------------------------------------------------------------------------------------------------------------------------------------------------

CVSS2

4.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS3

5.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS

0.001

Percentile

24.1%

JSON

Related for 1337DAY-ID-36653