Nssm-2.24 Privilege Escalation [portable] · Recent & Best

Security Advisory: NSSM 2.24 Privilege Escalation

Software: Non-Sucking Service Manager (NSSM) Affected Versions: NSSM 2.24 (and likely prior versions) Severity: High Vector: Local Impact: Privilege Escalation (Local System)

However, version 2.24 (released several years ago) contains a specific, reproducible privilege escalation vulnerability that has flown under the radar for many organizations. While the maintainers have since addressed this in later versions, countless legacy systems and poorly maintained servers still run NSSM 2.24.

The most common privilege escalation involving NSSM 2.24 stems from "Unquoted Service Paths". nssm-2.24 privilege escalation

The core issue arises because the service configuration created by NSSM often relies on the unquoted service path vulnerability or allows for the injection of commands/arguments that the Service Control Manager passes directly to the CreateProcess API.

: Windows will attempt to find and execute files along the path in order. For example, it might try to run C:\Program.exe Security Advisory: NSSM 2

Exploitation: An attacker with low-level write access to the root directory (e.g., C:\) can place a malicious executable named Program.exe. When the service restarts, it will run the attacker's code with the privileges of the service account, typically SYSTEM. 2. Service Binary Hijacking

Avoid running services as LocalSystem unless absolutely necessary. Instead, create a Managed Service Account (MSA) or a dedicated low-privilege user account with only the specific permissions required to run that application. 4. Upgrade and Monitor Upgrade to NSSM 2

Understanding the Attack Surface

What Makes NSSM 2.24 Different?

Modern service managers include safeguards against arbitrary binary replacement and insecure service configuration modification. NSSM 2.24, however, was designed for convenience—not security. Its core features that enable privilege escalation include:

Mitigation / Fix

• Upgrade to NSSM 2.24.1+ (if a patched version exists — check official site).
• Manually fix: Set the service DACL to allow only SYSTEM and Administrators to modify the service or its registry keys.

  sc sdset MyNSSMService "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)"
  

• Alternative: Use a more secure service wrapper (e.g., WinSW with config protection, or Windows built-in sc + proper ACLs).
• Monitor for changes to binPath or Parameters\Application keys.