---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Title: SonicWall NetExtender windows client unquoted service path vulnerability
Vers.: 10.2.0.300
Down.: https://www.sonicwall.com/products/remote-access/vpn-clients/
Advisory: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0023
CVE ID: CVE-2020-5147 (https://nvd.nist.gov/vuln/detail/CVE-2020-5147)
Desc.:
SonicWall NetExtender Windows client vulnerable to unquoted service path vulnerability, this allows a local attacker to gain elevated privileges in the host operating system.
This vulnerability impact SonicWall NetExtender Windows client version 10.2.300 and earlier.
Poc:
C:\>sc qc sonicwall_client_protection_svc
[SC] QueryServiceConfig OPERAZIONI RIUSCITE
NOME_SERVIZIO: sonicwall_client_protection_svc
TIPO : 10 WIN32_OWN_PROCESS
TIPO_AVVIO : 2 AUTO_START
CONTROLLO_ERRORE : 1 NORMAL
NOME_PERCORSO_BINARIO : C:\Program Files\SonicWall\Client Protection Service\SonicWallClientProtectionService.exe <-- Unquoted Service Path Vulnerability
GRUPPO_ORDINE_CARICAMENTO :
TAG : 0
NOME_VISUALIZZATO : SonicWall Client Protection Service
DIPENDENZE :
SERVICE_START_NAME : LocalSystem
C:\>
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
SonicWall Client Protection Service sonicwall_client_protection_svc C:\Program Files\SonicWall\Client Protection Service\SonicWallClientProtectionService.exe Auto
C:\>
----------------------------------------------------------------------------------------------------------------------------------------------------------------------