Nssm-2.24 Privilege Escalation [2021]

This vector typically manifests when an application installer deploys nssm.exe to a directory but fails to restrict the of that folder. Exploit-DB Pelco VideoXpert 1.12.105 - Local Privilege Escalation

In the ecosystem of Windows system administration, few tools are as beloved yet as misunderstood as the Non-Sucking Service Manager (NSSM). For years, NSSM has been the go-to solution for developers and sysadmins needing to run executable files (batch scripts, Python apps, or Node.js servers) as Windows services. Its ability to automatically restart crashed processes and its intuitive GUI have made it a staple.

If an attacker has write access to a directory involved in the service execution chain (e.g., a directory with weak permissions where the service binary resides or a path containing spaces without quotes), they can plant a malicious executable. When the service is started or restarted, the operating system or NSSM will execute the malicious file with SYSTEM privileges. nssm-2.24 privilege escalation

: Use tools like the PrivescCheck script to identify any unquoted service paths.

Securing NSSM 2.24 deployments requires adhering to the principle of least privilege and ensuring rigid access controls. 1. Enforce Strict File and Folder ACLs Its ability to automatically restart crashed processes and

While the 2.24-release era is the most discussed regarding these configurations, always ensure you are using the most stable, updated version of your tools. Furthermore, use tools to monitor for suspicious service modifications or unexpected child processes spawning from nssm.exe . Conclusion

to scan for unquoted service paths.

When a standard user is tricked or coerced into running NSSM 2.24 (perhaps via a phishing attack or a malicious script on a shared terminal server), the tool does not properly validate the executable path and arguments before the service starts.

Assume an attacker has gained initial access to a Windows 10 or Windows Server 2016 machine as a (e.g., via a phishing email or a vulnerable web app). : Use tools like the PrivescCheck script to

Join our CX newsletter

Subscribe for weekly updates on all things CX
Receive the weekly CX newsletter
Access exclusive members only content
Get personal invites to the private CX events
Exit Full screen mode
cross linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram