NCPA Windows Unquoted Service Path Enumeration
Posted: Tue Oct 10, 2023 10:11 am
Had a security finding on Windows systems about the NCPA agent having spaces in the path not double quoted.
Requesting the installer use double quotes when it sets the service path.
Below is the issue and resolution.
Description
Note that this is a generic test that will flag any application affected by the described vulnerability.
The remote Windows host has at least one service installed that uses an unquoted service path, which contains at least one whitespace.
A local attacker can gain elevated privileges by inserting an executable file in the path of the affected service.
Output
Nessus found the following service with an untrusted path :
NCPA : C:\Program Files\Nagios\NCPA\ncpa.exe
Solution
Ensure that any services that contain a space in the path enclose the path in quotes.
Instructions from https://isgovern.com/blog/how-to-fix-th ... erability/
Run the Registry Editor as an administrator
Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NCPA
Click on the ‘ImagePath’ line on the right side of the panel and edit the path.
"C:\Program Files\Nagios\NCPA\ncpa.exe"
Effect will be seen in the system Service NCPA , but I did a reboot to validate.
One note to add. I tired to do this via the service control sc front end in a dos box but it did not do anything
You can query the current configuration using:
sc qc NCPA
sc config NCPA binPath= "C:\Program Files\Nagios\NCPA\ncpa.exe"
I did give NCPA a description.
sc description NCPA "Nagios Cross Platform Agent"
Requesting the installer use double quotes when it sets the service path.
Below is the issue and resolution.
Description
Note that this is a generic test that will flag any application affected by the described vulnerability.
The remote Windows host has at least one service installed that uses an unquoted service path, which contains at least one whitespace.
A local attacker can gain elevated privileges by inserting an executable file in the path of the affected service.
Output
Nessus found the following service with an untrusted path :
NCPA : C:\Program Files\Nagios\NCPA\ncpa.exe
Solution
Ensure that any services that contain a space in the path enclose the path in quotes.
Instructions from https://isgovern.com/blog/how-to-fix-th ... erability/
Run the Registry Editor as an administrator
Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NCPA
Click on the ‘ImagePath’ line on the right side of the panel and edit the path.
"C:\Program Files\Nagios\NCPA\ncpa.exe"
Effect will be seen in the system Service NCPA , but I did a reboot to validate.
One note to add. I tired to do this via the service control sc front end in a dos box but it did not do anything
You can query the current configuration using:
sc qc NCPA
sc config NCPA binPath= "C:\Program Files\Nagios\NCPA\ncpa.exe"
I did give NCPA a description.
sc description NCPA "Nagios Cross Platform Agent"