---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Title: SonicWall NetExtender windows client unquoted service path vulnerability
Vers.: 10.2.0.300
Down.: https://www.sonicwall.com/products/remote-access/vpn-clients/

Advisory: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0023
CVE ID: CVE-2020-5147 (https://nvd.nist.gov/vuln/detail/CVE-2020-5147)

Desc.:
SonicWall NetExtender Windows client vulnerable to unquoted service path vulnerability, this allows a local attacker to gain elevated privileges in the host operating system.
This vulnerability impact SonicWall NetExtender Windows client version 10.2.300 and earlier.

Poc:

C:\>sc qc sonicwall_client_protection_svc
[SC] QueryServiceConfig OPERAZIONI RIUSCITE

NOME_SERVIZIO: sonicwall_client_protection_svc
        TIPO                      : 10  WIN32_OWN_PROCESS
        TIPO_AVVIO                : 2   AUTO_START
        CONTROLLO_ERRORE          : 1   NORMAL
        NOME_PERCORSO_BINARIO     : C:\Program Files\SonicWall\Client Protection Service\SonicWallClientProtectionService.exe <-- Unquoted Service Path Vulnerability
        GRUPPO_ORDINE_CARICAMENTO :
        TAG                       : 0
        NOME_VISUALIZZATO         : SonicWall Client Protection Service
        DIPENDENZE                :
        SERVICE_START_NAME : LocalSystem

C:\>

----------------------------------------------------------------------------------------------------------------------------------------------------------------------

C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
SonicWall Client Protection Service                              sonicwall_client_protection_svc  C:\Program Files\SonicWall\Client Protection Service\SonicWallClientProtectionService.exe      Auto

C:\>
----------------------------------------------------------------------------------------------------------------------------------------------------------------------