search
Ctrlk

Escalation Extra Quality | Nssm-2.24 Privilege

Non-Sucking Service Manager (NSSM) version 2.24 itself does not have a documented, inherent code-based privilege escalation vulnerability. However, it is frequently cited in security reviews due to unquoted service path vulnerabilities and insecure permissions created by the applications that use it as a wrapper. www.tenable.com Key Security Concerns for NSSM 2.24 Unquoted Service Path

  1. Enumerate installed services; identify services whose ImagePath contains unquoted paths (tools: sc qc, wmic service get DisplayName,PathName, or automated enumeration scripts like PowerUp.ps1).
  2. For each candidate, list the path segments Windows will try (prefixes up to the full path).
  3. Check which prefixes are writable by the current user.
  4. If a writable prefix is found (e.g., C:\ or a writable directory earlier in the path), create an executable with the prefix name (e.g., C:\Program.exe) that spawns a SYSTEM shell or drops a payload.
  5. Trigger service start/restart (if possible) or wait for normal restart; when Windows attempts to start the service it will run the attacker-controlled executable, yielding SYSTEM execution.

  • before reaching the intended file. An attacker can place a malicious Program.exe at the root of the drive to hijack the service execution. NSSM - the Non-Sucking Service Manager 3. Exploitation in Ransomware Campaigns nssm-2.24 privilege escalation

    NSSM 2.24

    While is a legitimate tool used to manage Windows services, it is often central to privilege escalation attacks due to improper deployment permissions rather than a flaw in its own source code . Non-Sucking Service Manager (NSSM) version 2