跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

SonicWall NetExtender 10.2.0.300 - Unquoted Service Path

HACK1949
HACK1949
黑帽漏洞数据库

精选回复

发布于 
# Exploit Title: SonicWall NetExtender 10.2.0.300 -  Unquoted Service Path
# Exploit Author: shinnai
# Software Link: https://www.sonicwall.com/products/remote-access/vpn-clients/
# Version: 10.2.0.300
# Tested On: Windows
# CVE: CVE-2020-5147

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Title: SonicWall NetExtender windows client unquoted service path 
vulnerability
Vers.: 10.2.0.300
Down.: https://www.sonicwall.com/products/remote-access/vpn-clients/

Advisory: 
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0023
CVE ID: CVE-2020-5147 (https://nvd.nist.gov/vuln/detail/CVE-2020-5147)

URLs:
https://besteffortteam.it/sonicwall-netextender-windows-client-unquoted-service-path-vulnerability/
https://shinnai.altervista.org/exploits/SH-029-20210109.html

Desc.:
SonicWall NetExtender Windows client vulnerable to unquoted service path 
vulnerability, this allows a local attacker to gain elevated privileges 
in the host operating system.
This vulnerability impact SonicWall NetExtender Windows client version 
10.2.300 and earlier.

Poc:

C:\>sc qc sonicwall_client_protection_svc
[SC] QueryServiceConfig OPERAZIONI RIUSCITE
NOME_SERVIZIO: sonicwall_client_protection_svc
         TIPO                      : 10  WIN32_OWN_PROCESS
         TIPO_AVVIO                : 2   AUTO_START
         CONTROLLO_ERRORE          : 1   NORMAL
         NOME_PERCORSO_BINARIO     : C:\Program Files\SonicWall\Client 
Protection Service\SonicWallClientProtectionService.exe <-- Unquoted 
Service Path Vulnerability
         GRUPPO_ORDINE_CARICAMENTO :
         TAG                       : 0
         NOME_VISUALIZZATO         : SonicWall Client Protection Service
         DIPENDENZE                :
         SERVICE_START_NAME : LocalSystem
C:\>

----------------------------------------------------------------------------------------------------------------------------------------------------------------------

C:\>wmic service get name,displayname,pathname,startmode |findstr /i 
"auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
SonicWall Client Protection Service                              
sonicwall_client_protection_svc  C:\Program Files\SonicWall\Client 
Protection Service\SonicWallClientProtectionService.exe      Auto

C:\>
----------------------------------------------------------------------------------------------------------------------------------------------------------------------

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。