Nssm-2.24 Privilege Escalation 🎁 🔖
(Non-Sucking Service Manager) is a legitimate tool used to run any executable as a Windows service, it is frequently exploited for local privilege escalation (LPE)
Unquoted Service Paths: If the service path to NSSM contains spaces and is not enclosed in quotes, Windows may attempt to execute files at different points in the path. For example, if installed in C:\Program Files (x86)\App Name\nssm.exe, an attacker with write access to C:\ could place a malicious file at C:\Program.exe to gain elevated access. nssm-2.24 privilege escalation
Exploitation Path: An attacker could exploit this vulnerability by creating or modifying a service configuration in a way that NSSM would execute a command or load a DLL with elevated privileges. This could be achieved through specially crafted service definitions that are then processed by NSSM. (Non-Sucking Service Manager) is a legitimate tool used
- nssm (Non-Sucking Service Manager) v2.24 contains a privilege escalation vector when used to install and manage Windows services.
- The issue arises because nssm stores service configuration values (notably the “Application” and “AppParameters” fields) in the Windows registry under the service key, and when a service runs as SYSTEM the service executable path or parameters can be controlled or influenced by unprivileged users in some setups, allowing execution of code with higher privileges.
- An attacker with local unprivileged access can escalate to SYSTEM by leveraging writable registry or file locations referenced by the service configuration, or by replacing an executable invoked by the service.
Weak Permissions: The directory where the nssm.exe binary or the target application executable resides has "Modify" or "Full Control" permissions granted to "Authenticated Users" or "Everyone." nssm (Non-Sucking Service Manager) v2
The service runs as LOCAL SYSTEM (by default for manually installed services), executing malware.exe with the highest privileges.
NSSM allows a standard user (without admin rights) to install a service, but here lies the critical catch: Service installation requires Administrator privileges on Windows. You cannot simply run nssm install from a command prompt as a standard user and succeed. Or so the logic goes.
If you are running NSSM, understanding how an attacker can move from a low-privilege user to SYSTEM is critical for securing your infrastructure. What is NSSM?