NordVPN Unquoted Service Path Vulnerability in nordvpn-service Allowing Privilege Escalation

A vulnerability has been identified in NordVPN version 6.31.13.0, specifically within the nordvpn-service component. This vulnerability arises from an unquoted service path, which local attackers can exploit to execute code with elevated privileges. By taking advantage of the unquoted binary path during system startup or reboot, it is possible to run malicious code with LocalSystem permissions.

Impact

Exploitation of this vulnerability could lead to unauthorized code execution with elevated privileges, allowing local attackers to execute malicious payloads with LocalSystem rights.

Reproduction

The vulnerability can be reproduced by creating a service with an unquoted path that includes spaces. This can be done using the Windows Service Control (sc) command. Once the service is set up, it can be exploited by placing a malicious executable in a directory that is referenced by the service path. When the system starts or reboots, the service will execute the malicious code with elevated privileges.