Vulners
Lucene search
SonicWall NetExtender 10.2.0.300 Unquoted Service Path
šļøĀ 17 Aug 2021Ā 00:00:00Reported byĀ shinnaiTypeĀ 
Ā packetstormšĀ packetstormsecurity.comšĀ 226Ā Views
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | SonicWall NetExtender 10.2.0.300 - Unquoted Service Path Vulnerability | 17 Aug 202100:00 | ā | zdt |
 | CVE-2020-5147 | 9 Jan 202107:42 | ā | circl |
 | Sonicwall SonicWall NetExtender Windows client Code Issue Vulnerability | 8 Jan 202100:00 | ā | cnnvd |
 | CVE-2020-5147 | 9 Jan 202100:15 | ā | cve |
 | CVE-2020-5147 | 9 Jan 202100:15 | ā | cvelist |
 | SonicWall NetExtender 10.2.0.300 - Unquoted Service Path | 17 Aug 202100:00 | ā | exploitdb |
 | EUVD-2020-26394 | 7 Oct 202500:30 | ā | euvd |
 | CVE-2020-5147 | 9 Jan 202101:15 | ā | nvd |
 | CVE-2020-5147 | 9 Jan 202101:15 | ā | osv |
 | Design/Logic Flaw | 9 Jan 202101:15 | ā | prion |
10
`# Exploit Title: SonicWall NetExtender 10.2.0.300 - Unquoted Service Path
# Exploit Author: shinnai
# Software Link: https://www.sonicwall.com/products/remote-access/vpn-clients/
# Version: 10.2.0.300
# Tested On: Windows
# CVE: CVE-2020-5147
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Title: SonicWall NetExtender windows client unquoted service path
vulnerability
Vers.: 10.2.0.300
Down.: https://www.sonicwall.com/products/remote-access/vpn-clients/
Advisory:
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0023
CVE ID: CVE-2020-5147 (https://nvd.nist.gov/vuln/detail/CVE-2020-5147)
URLs:
https://besteffortteam.it/sonicwall-netextender-windows-client-unquoted-service-path-vulnerability/
https://shinnai.altervista.org/exploits/SH-029-20210109.html
Desc.:
SonicWall NetExtender Windows client vulnerable to unquoted service path
vulnerability, this allows a local attacker to gain elevated privileges
in the host operating system.
This vulnerability impact SonicWall NetExtender Windows client version
10.2.300 and earlier.
Poc:
C:\>sc qc sonicwall_client_protection_svc
[SC] QueryServiceConfig OPERAZIONI RIUSCITE
NOME_SERVIZIO: sonicwall_client_protection_svc
TIPO : 10 WIN32_OWN_PROCESS
TIPO_AVVIO : 2 AUTO_START
CONTROLLO_ERRORE : 1 NORMAL
NOME_PERCORSO_BINARIO : C:\Program Files\SonicWall\Client
Protection Service\SonicWallClientProtectionService.exe <-- Unquoted
Service Path Vulnerability
GRUPPO_ORDINE_CARICAMENTO :
TAG : 0
NOME_VISUALIZZATO : SonicWall Client Protection Service
DIPENDENZE :
SERVICE_START_NAME : LocalSystem
C:\>
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
C:\>wmic service get name,displayname,pathname,startmode |findstr /i
"auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
SonicWall Client Protection Service
sonicwall_client_protection_svc C:\Program Files\SonicWall\Client
Protection Service\SonicWallClientProtectionService.exe Auto
C:\>
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
`
Data
Build on a solid foundation withĀ Vulners data
WeĀ provide theĀ essential building blocks forĀ cybersecurity solutions withĀ comprehensive, structured, andĀ constantly updated vulnerability andĀ exploits data
Api
Power your application withĀ Vulners API
The Vulners REST API offers reliable, high-performance access toĀ vulnerabilityĀ intelligence, withĀ 99.9%Ā SLAĀ uptime andĀ CDN-backed data delivery forĀ seamlessĀ global access
App
Assess and manage vulnerabilities withĀ VulnersĀ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Aug 2021 00:00Current
0.5Low risk
Vulners AI Score0.5
CVSS 24.6
CVSS 3.15.3
EPSS0.0031