SonarQube Unquoted Service Path Vulnerability in Windows

A vulnerability exists in SonarQube version 8.3.1 due to an unquoted service path in the SonarQube service. This flaw allows local attackers to gain SYSTEM privileges by manipulating the service executable path. Exploitation involves replacing the 'wrapper.exe' in the service path with a malicious executable, which can then be executed with elevated privileges during a service restart.

Impact

Exploitation of this vulnerability allows for unauthorized code execution with SYSTEM privileges.

Reproduction

The vulnerability can be reproduced by first verifying the unquoted service path vulnerability using the Windows Management Instrumentation Command-line (WMIC) to check for services that are set to auto-start and have paths not enclosed in quotes. Once the vulnerable service is identified, the service permissions can be checked to confirm it runs with SYSTEM privileges. After confirming the service's vulnerability and permissions, a payload can be created using a tool like 'msfvenom' and named 'wrapper.exe'. This payload should be dropped into the directory containing the legitimate 'wrapper.exe' for the SonarQube service. Finally, the SonarQube service can be restarted, which will trigger the execution of the malicious payload. If the payload was created with 'msfvenom', it can be migrated to another process to maintain access.