Nssm-2.24 Privilege Escalation
: The most immediate mitigation is to upgrade to a version of NSSM that has addressed this vulnerability. Users should check for updates and ensure they are running a version of NSSM that includes patches for privilege escalation vulnerabilities.
wmic service get name,displayname,pathname,startmode | findstr /i "nssm" Use code with caution. 2. Checking Permissions
Understanding NSSM-2.24 Privilege Escalation: Risks, Mechanics, and Mitigation nssm-2.24 privilege escalation
before reaching the intended file. An attacker can place a malicious Program.exe at the root of the drive to hijack the service execution. NSSM - the Non-Sucking Service Manager 3. Exploitation in Ransomware Campaigns
This vector typically manifests when an application installer deploys nssm.exe to a directory but fails to restrict the of that folder. Exploit-DB Pelco VideoXpert 1.12.105 - Local Privilege Escalation : The most immediate mitigation is to upgrade
The attacker identifies the path hierarchy. If the service path is C:\Program Files\App\nssm.exe , they place a malicious Program.exe in the C:\ directory. They ensure their binary is executable. When the service restarts, the SCM finds Program.exe first, executes it, and grants the attacker SYSTEM privileges.
: A feature that allows administrators to register a SHA-256 hash of the legitimate application executable. NSSM would verify this hash before every launch; if the binary has been replaced (a common privilege escalation tactic), NSSM would refuse to start the service. NSSM - the Non-Sucking Service Manager 3
When administrators install NSSM, they frequently place the nssm.exe binary or the application it manages into directories with weak Access Control Lists (ACLs). The Attack Mechanism
icacls "C:\YourServiceFolder" /inheritance:d icacls "C:\YourServiceFolder" /grant:r Administrators:(OI)(CI)F /grant:r SYSTEM:(OI)(CI)F Use code with caution. 2. Upgrade or Replace NSSM
NSSM 2.24 itself creates a service. If the binary file of the application that NSSM is managing has weak permissions (e.g., Users: Modify or Users: Full Control ), a non-privileged user can replace the application executable with a payload. NSSM is configured to run C:\Service\App.exe . The directory C:\Service\ is writable by standard users. The user replaces App.exe with a malicious executable.
While the described vulnerabilities are file-permission issues, NSSM itself has historically been used as a in advanced attacks. Security researchers and penetration testers have used NSSM to elevate privileges or maintain access after gaining an initial foothold: