While NSSM 2.24 is a legitimate tool used to manage Windows services, it is often central to privilege escalation attacks due to improper deployment permissions rather than a flaw in its own source code.
When NSSM is bundled with third-party installers, it frequently inherits weak folder or file permissions, allowing low-privileged users to replace the nssm.exe binary or its managed application with malicious code. Key Attack Vectors
Improper File Permissions: Many applications (e.g., Wowza Streaming Engine, Apache CouchDB, Phoenix Contact) have been found to install NSSM with "Full Control" for the "Everyone" or "Users" group. Attackers can swap the binary with a malicious executable, which then runs with SYSTEM privileges upon the next service restart.
Unquoted Service Paths: If the service path to NSSM contains spaces and is not enclosed in quotes, Windows may attempt to execute files at different points in the path. For example, if installed in C:\Program Files (x86)\App Name\nssm.exe, an attacker with write access to C:\ could place a malicious file at C:\Program.exe to gain elevated access.
Weak Registry Permissions: If the registry keys governing the NSSM service (e.g., ImagePath) are writable by unprivileged users, they can modify the service configuration to execute arbitrary payloads. Known Affected Products (Examples)
Wowza Streaming Engine 4.5.0: Vulnerable via replacing the nssm_x64.exe binary due to improper permissions.
Apache CouchDB 2.0.0: Vulnerable because files inherited parent directory permissions, allowing the substitution of nssm.exe.
Phoenix Contact Device & Update Management: Misconfigured permissions on nssm.exe allowed local privilege escalation. Mitigation and Defense
Windows Privilege Escalation — Part 1 (Unquoted Service Path)
I’m unable to provide a full exploit or walkthrough for a privilege escalation vulnerability in NSSM 2.24, as that could be used maliciously. However, I can share general, educational information about why such vulnerabilities historically existed in older versions of NSSM (Non-Sucking Service Manager).
Known issue pattern (historical):
In NSSM versions prior to 2.24 (and sometimes including 2.24 depending on configuration), a privilege escalation was possible if: nssm-2.24 privilege escalation
nssm edit <service>) allows modification of service configuration without proper access control checks, enabling a user with SERVICE_CHANGE_CONFIG permission to change the binary path to a malicious executable.Secure alternatives for modern systems:
New-Service with proper SDDL.WinSW or native Windows services).%ProgramFiles% or %SystemRoot%, not user-writable directories.SERVICE_CHANGE_CONFIG only for admins via service DACL.If you’re a security researcher testing NSSM 2.24 in a lab, review:
Would you like a non-exploit explanation of how to detect weak NSSM service configurations instead?
For NSSM 2.24, a critical feature to address privilege escalation vulnerabilities is a Permission Integrity Check & Lockdown module.
This feature focuses on mitigating the primary way attackers exploit NSSM: replacing the nssm.exe binary or its associated application executable due to insecure file permissions. Key Components of the "Secure Lockdown" Feature
Automated Permission Audit: Upon service installation or startup, NSSM should scan its own binary path and the target application path. It would flag if high-risk groups (e.g., "Everyone," "Users," or "Authenticated Users") have Write or Full Control permissions.
Mandatory Quoted Paths: The tool should automatically enforce quoted service paths in the Windows registry to prevent "Unquoted Service Path" exploits, where Windows might execute a malicious binary with a similar name in a parent folder.
Binary Hash Verification: A feature that allows administrators to register a SHA-256 hash of the legitimate application executable. NSSM would verify this hash before every launch; if the binary has been replaced (a common privilege escalation tactic), NSSM would refuse to start the service.
"Least Privilege" Mode: A toggle to ensure the service defaults to a virtual account or a low-privileged user instead of the "LocalSystem" account, which is the most frequent target for attackers looking for administrative control. Why this is needed
NSSM 2.24 is frequently cited in security advisories because third-party installers (like CouchDB or Wowza Streaming Engine) often deploy it with weak directory permissions. Because NSSM typically runs with SYSTEM privileges, any user who can replace the nssm.exe file can effectively take over the entire machine. While NSSM 2
I can provide PowerShell scripts to manually audit your current NSSM services or help you harden the registry keys for an existing setup. Which would you prefer? CVE-2016-20033 Detail - NVD
Non-Sucking Service Manager (NSSM) version 2.24 does not have a unique, built-in "exploit" or CVE inherent to its code. Instead, privilege escalation involving NSSM almost always stems from insecure deployment configurations
. Because NSSM is an executable used to wrap other applications as services, it is a high-value target for attackers who have already gained a foothold on a system. Primary Escalation Vectors
When NSSM 2.24 is present, it is usually targeted via three common Windows service misconfigurations: Head Mare and Twelve: Joint attacks on Russian entities
Non-Sucking Service Manager (NSSM) version 2.24 itself does not have a documented, inherent code-based privilege escalation vulnerability. However, it is frequently cited in security reviews due to unquoted service path vulnerabilities and insecure permissions created by the applications that use it as a wrapper. www.tenable.com Key Security Concerns for NSSM 2.24 Unquoted Service Path
: If an application uses NSSM to run a service but fails to enclose the path to in quotation marks (e.g., C:\Program Files\App\nssm.exe ), a local attacker can place a malicious file (like C:\Program.exe ) to gain elevated SYSTEM privileges upon a reboot. Insecure Executable Permissions : If the folder containing
or the binary it wraps has "Full Control" or "Write" permissions for the "Users" group, an attacker can replace the binary with a malicious one. Abuse by Malware
: Because NSSM is a legitimate tool for managing services, threat actors often use it to establish persistence
for their own tools (e.g., tunneling software or ransomware) while appearing as a standard system service. medium.com Vulnerability Indicators Microsoft Windows Unquoted Service Path Enumeration
Later versions of NSSM (2.24.1, 2.25, and above) introduced critical safeguards: A service installed with NSSM runs under a
Version 2.24 was the last build before these patches. It exists in countless enterprise golden images, legacy application stacks, and developer test environments where security updates are deprioritized.
Software: Non-Sucking Service Manager (NSSM) Affected Versions: NSSM 2.24 (and likely prior versions) Severity: High Vector: Local Impact: Privilege Escalation (Local System)
The attacker changes the binPath to point to a malicious executable they control:
sc config <service_name> binPath= "C:\temp\malware.exe"
Or, if using NSSM directly:
nssm set <service_name> Application "C:\temp\malware.exe"
NSSM 2.24 does not enforce a restrictive DACL (Discretionary Access Control List) on created services. Instead, it relies on Windows defaults, which may allow SERVICE_CHANGE_CONFIG to non-admin users when the service is created during an administrative session but without explicit security hardening.
In multi-tenant environments (VDI, Citrix, shared kiosks), a low-privilege user who finds NSSM 2.24 installed on the base image can escalate to SYSTEM and escape their session container.
Assumptions:
vuln_svc as Administrator.bob exists on the system.Steps to escalate:
# As standard user bob sc qc vuln_svc :: Output shows SERVICE_CHANGE_CONFIG permission present.
sc config vuln_svc binPath= "C:\evil\shell.exe" sc stop vuln_svc sc start vuln_svc
shell.exe runs as SYSTEM.
Newer versions of NSSM (2.24 is the last stable release as of 2016; no official updates after) do not address these privilege escalation vectors. However, the problem is less about a bug in NSSM and more about administrative practices combined with NSSM’s lack of built-in security hardening. Attackers target version 2.24 because:
SYSTEM account but forget to lock down configuration changes.