Nssm-2.24 Privilege Escalation -
If you are a system administrator or a security professional, understanding how this privilege escalation works is critical for securing Windows environments. What is NSSM-2.24?
nssm version
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /f "ImagePath" | findstr /i "nssm"
The vulnerability arises from the fact that the nssm.exe binary does not have its file permissions secured properly. Under normal Windows security models, system files should be immutable to regular users. However, with vulnerable configurations, a low-privileged local user can overwrite or modify the nssm.exe binary. Once the attacker has tampered with the binary, they can wait for the NSSM service to restart. When the system executes the service again, it will run the attacker’s malicious executable, but crucially, it will do so under the high-privileged SYSTEM account or an administrative account. This allows the attacker to completely compromise the system. nssm-2.24 privilege escalation
If a service is installed with a path like C:\Program Files\My App\nssm.exe , and it is not properly quoted, Windows attempts to execute the path in the following order: C:\Program.exe (with args: Files\My App\nssm.exe ) C:\Program Files\My.exe (with args: App\nssm.exe ) C:\Program Files\My App\nssm.exe
A simple PoC to demonstrate the flaw (assuming you have nssm 2.24.exe in the current directory and a standard user account):
Get-ChildItem -Path C:\ -Filter nssm.exe -Recurse -ErrorAction SilentlyContinue | ForEach-Object & $_.FullName version If you are a system administrator or a
NSSM itself is fundamentally designed to interface directly with the . When a third-party software package packages nssm.exe to manage background tasks, it often inherits systemic flaws or human oversights introduced during the installer's file system deployment.
Attackers can install a NSSM service pointing to cmd.exe /c net user backdoor P@ssw0rd /add & net localgroup administrators backdoor /add . After the next reboot, the backdoor user is created.
In multi-tenant environments (VDI, Citrix, shared kiosks), a low-privilege user who finds NSSM 2.24 installed on the base image can escalate to SYSTEM and escape their session container. Under normal Windows security models, system files should
| Vulnerability Identifier | CVSS Score | Attack Vector | Root Cause | |---|---|---|---| | | 7.8 (High) | Local, Low Privilege | Improper file permissions on nssm.exe allow binary replacement | | CVE-2024-51448 | 7.8 (High) | Local, Low Privilege | Inherited weak directory permissions in IBM RPA | | CVE-2016-20033 | 7.8 (High) | Local, Authenticated | Full access granted to Everyone group for nssm_x64.exe in Wowza Streaming Engine | | Unquoted Service Path | N/A (Systemic) | Local, Low Privilege | Service binary path with spaces lacks quotation marks |
Conduct regular vulnerability scans to identify instances of weak file permissions on service executables. Automate checks for the Authenticated Users:(C) permission pattern.
The NSSM-2.24 privilege escalation vulnerability highlights the importance of continuous security assessment and timely patching of software. By understanding the technical details of the vulnerability and implementing the recommended mitigations, organizations can protect their systems from potential exploitation. It is crucial for users of NSSM to stay informed about security updates and to follow best practices for securing service management configurations.
Affected versions
The 2.24 version is outdated, and the primary recommendation from the NSSM developers is to upgrade to the 2.25 pre-release builds, which address several bugs, including those related to service handling and stability. Immediate Mitigation Steps: