Page 1 of 1

NCPA Windows Unquoted Service Path Enumeration

Posted: Tue Oct 10, 2023 10:11 am
by WVUhealth
Had a security finding on Windows systems about the NCPA agent having spaces in the path not double quoted.
Requesting the installer use double quotes when it sets the service path.
Below is the issue and resolution.

Description
Note that this is a generic test that will flag any application affected by the described vulnerability.
The remote Windows host has at least one service installed that uses an unquoted service path, which contains at least one whitespace.
A local attacker can gain elevated privileges by inserting an executable file in the path of the affected service.

Output
Nessus found the following service with an untrusted path :
NCPA : C:\Program Files\Nagios\NCPA\ncpa.exe

Solution
Ensure that any services that contain a space in the path enclose the path in quotes.

Instructions from https://isgovern.com/blog/how-to-fix-th ... erability/

Run the Registry Editor as an administrator
Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NCPA
Click on the ‘ImagePath’ line on the right side of the panel and edit the path.
"C:\Program Files\Nagios\NCPA\ncpa.exe"

Effect will be seen in the system Service NCPA , but I did a reboot to validate.

One note to add. I tired to do this via the service control sc front end in a dos box but it did not do anything

You can query the current configuration using:
sc qc NCPA
sc config NCPA binPath= "C:\Program Files\Nagios\NCPA\ncpa.exe"

I did give NCPA a description.
sc description NCPA "Nagios Cross Platform Agent"

Re: NCPA Windows Unquoted Service Path Enumeration

Posted: Thu Oct 26, 2023 4:24 pm
by phred
Hey @WVUhealth

Thanks you for bringing this to our attention. We will look into it.

Can you tell me which version of NCPA you are using?

Thanks, Phred

Re: NCPA Windows Unquoted Service Path Enumeration

Posted: Fri Oct 27, 2023 4:00 pm
by bbahn
Hello @WVUhealth,

I have taken a look at this and have made an issue and MR resolving the vulnerability.

Thank you for finding and bringing this to our attention.