On Windows, the Sherpa Connector Service version 2020.2.20328.2050 contains an unquoted service path vulnerability, allowing locally authenticated users with administrative privileges to run malicious executables with LocalSystem privileges. In case of a poorly configured system, where a low privileged user could write to the "Sherpa Software" or "Sherpa Connector" directory, they could use it to elevate their privileges to LocalSystem.

C:>wmic service get name,displayname,pathname,startmode | findstr /i "sherpa" | findstr /i "auto" |findstr /i /v "c:\windows\" |findstr /i /v """

Sherpa Connector Service Sherpa Connector Service C:\Program Files\Sherpa Software\Sherpa Connector\SherpaConnectorService.exe Auto

C:>sc qc "Sherpa Connector Service"

[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Sherpa Connector Service TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Sherpa Software\Sherpa Connector\SherpaConnectorService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Sherpa Connector Service DEPENDENCIES : wmiApSrv SERVICE_START_NAME : LocalSystem

• Manthan Chhabra (@netsectuna)
• Harshit (@fumenoid)