Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-23909 PoC — Gimmal Sherpa Connector Service 代码问题漏洞

Source
https://github.com/netsectuna/CVE-2022-23909
Associated Vulnerability
Title:Gimmal Sherpa Connector Service 代码问题漏洞 (CVE-2022-23909)
Description:Gimmal Sherpa Connector Service是美国Gimmal公司的一种连接器服务。 Sherpa Connector Service 2020.2.20328.2050版本存在安全漏洞,该漏洞源于有一个未引用的服务路径。本地攻击者利用该漏洞通过创建“C:Program FilesSherpa SoftwareSherpa.exe”文件来升级权限。
Description
Unquoted Service Path privilege escalation vulnerability in Sherpa Connector Service.
Readme
# CVE-2022-23909

### Description:

On Windows, the Sherpa Connector Service version 2020.2.20328.2050 contains an unquoted service path vulnerability, allowing locally authenticated users with administrative privileges to run malicious executables with LocalSystem privileges. In case of a poorly configured system, where a low privileged user could write to the "Sherpa Software" or "Sherpa Connector" directory, they could use it to elevate their privileges to LocalSystem.

### Step to discover Unquoted Service Path:

![image](https://user-images.githubusercontent.com/33160392/162021730-2431040c-cb96-4a6b-8c22-95383b2110e0.png)

C:\>wmic service get name,displayname,pathname,startmode | findstr /i "sherpa" | findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

Sherpa Connector Service                                                            Sherpa Connector Service                                C:\Program Files\Sherpa Software\Sherpa Connector\SherpaConnectorService.exe                                            Auto

![image](https://user-images.githubusercontent.com/33160392/162021773-d4aa4421-529e-40ce-860d-89f91b53a799.png)

C:\>sc qc "Sherpa Connector Service"

[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Sherpa Connector Service
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\Sherpa Software\Sherpa Connector\SherpaConnectorService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Sherpa Connector Service
        DEPENDENCIES       : wmiApSrv
        SERVICE_START_NAME : LocalSystem

#### Discovered by: 
- Manthan Chhabra (@netsectuna)
- Harshit (@fumenoid)
File Snapshot

 [4.0K]  /data/pocs/dc0b319da339ed10438d780db8f1dfd608bcd737
└── [1.7K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.