Nssm-2.24 Privilege Escalation (FREE × CHOICE)
(Non-Sucking Service Manager) is a legitimate tool used to run any executable as a Windows service, it is frequently exploited for local privilege escalation (LPE)
or the binary it wraps has "Full Control" or "Write" permissions for the "Users" group, an attacker can replace the binary with a malicious one. Abuse by Malware
is a highly popular, open-source utility designed to run ordinary executables as background Windows services . While highly efficient, deploying nssm.exe v2.24 within corporate software installers introduces structural local privilege escalation (LPE) risks if the deployment is misconfigured. nssm-2.24 privilege escalation
NSSM automatically detects administrative requirements and elevates privileges through the elevate() function, which leverages ShellExecuteEx() with the "runas" verb to launch a new elevated process while preserving all original command-line arguments. This built-in elevation mechanism, while convenient, has historically created attack vectors when combined with improper file permission settings.
| Vulnerability Identifier | CVSS Score | Attack Vector | Root Cause | |---|---|---|---| | | 7.8 (High) | Local, Low Privilege | Improper file permissions on nssm.exe allow binary replacement | | CVE-2024-51448 | 7.8 (High) | Local, Low Privilege | Inherited weak directory permissions in IBM RPA | | CVE-2016-20033 | 7.8 (High) | Local, Authenticated | Full access granted to Everyone group for nssm_x64.exe in Wowza Streaming Engine | | Unquoted Service Path | N/A (Systemic) | Local, Low Privilege | Service binary path with spaces lacks quotation marks | (Non-Sucking Service Manager) is a legitimate tool used
To illustrate how an auditor or attacker validates this vulnerability, consider the following lifecycle of an LPE attack utilizing a misconfigured NSSM 2.24 deployment. Step 1: Enumeration and Identification
The attacker creates a malicious executable (e.g., a reverse shell) and drops it in C:\Program Files\Application.exe . Step 1: Enumeration and Identification The attacker creates
# Check current permissions icacls "C:\Path\To\nssm.exe"
$ copy evil.exe nssm.exe /Y