Privilege Escalation - Nssm-2.24

Non-Sucking Service Manager (NSSM) version 2.24 itself does not have a documented, inherent code-based privilege escalation vulnerability. However, it is frequently cited in security reviews due to unquoted service path vulnerabilities and insecure permissions created by the applications that use it as a wrapper. www.tenable.com Key Security Concerns for NSSM 2.24 Unquoted Service Path

Real-World Attack Scenario

Imagine a corporate environment using a legacy monitoring agent installed via NSSM 2.24 on hundreds of Windows Server 2012 R2 machines. A contractor with limited access discovers the NSSM service LegacyMonitor has its binary stored in C:\ProgramData\Monitor\. The ProgramData folder, by default, grants BUILTIN\Users write access. nssm-2.24 privilege escalation

• Windows unquoted service path concept and writeups (numerous blog posts and pentest guides).
• Exploit-DB entries showing specific occurrences where nssm.exe was installed unquoted inside product installs.
• Metasploit module windows/local/trusted_service_path and common LPE enumeration tools like PowerUp.ps1.

Get-ChildItem -Path C:\ -Filter nssm.exe -Recurse -ErrorAction SilentlyContinue | ForEach-Object  & $_.FullName version 

Proof of Concept

Assumptions:

: Because NSSM is a legitimate tool for managing services, threat actors often use it to establish persistence Non-Sucking Service Manager (NSSM) version 2

Common in CTFs: Due to its known behavior and role in historical vulnerabilities (like the Odoo or CouchDB exploits), it is a favorite for Capture The Flag (CTF) challenges and penetration testing certifications. Windows unquoted service path concept and writeups (numerous

nssm set <service_name> Application "C:\temp\malware.exe"