NCP Secure Entry Client Unquoted Service Path Vulnerability Allowing Arbitrary Code Execution

A vulnerability exists in NCP Secure Entry Client version 9.2 due to unquoted service paths in multiple Windows services. This flaw allows local users to potentially execute arbitrary code. The unquoted paths in services such as ncprwsnt, rwsrsu, ncpclcfg, and NcpSec can be exploited to inject malicious code that executes with LocalSystem privileges when the service starts.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of code with elevated privileges, allowing a local user to execute arbitrary commands or applications as the LocalSystem user.

Reproduction

The vulnerability can be reproduced by creating a service with an unquoted path that includes spaces. Once the service is started, any code placed in the system root path can be executed with LocalSystem privileges. This can be verified by using the 'wmic service get name, displayname, pathname, startmode' command to identify services with unquoted paths and 'sc qc' command to check the service configuration.