Nssm-2.24 Privilege Escalation Verified -

If the output says 2.24 , the system is vulnerable.

The primary method for escalating privileges via NSSM 2.24 involves . If an administrator installs a service using NSSM and the path to the executable contains spaces but no quotation marks (e.g., C:\Program Files\Service Name\nssm.exe ), Windows will search for and attempt to execute files in the following order: C:\Program.exe C:\Program Files\Service.exe C:\Program Files\Service Name\nssm.exe

An attacker generally follows these steps to exploit a misconfigured NSSM instance: nssm-2.24 privilege escalation

: Official documentation for 2.24 notes that it may fail or loop if run without sufficient rights, ironically highlighting its deep integration with system privileges. Mitigation Strategies

This vector typically manifests when an application installer deploys nssm.exe to a directory but fails to restrict the of that folder. Exploit-DB Pelco VideoXpert 1.12.105 - Local Privilege Escalation If the output says 2

: A feature that allows administrators to register a SHA-256 hash of the legitimate application executable. NSSM would verify this hash before every launch; if the binary has been replaced (a common privilege escalation tactic), NSSM would refuse to start the service.

A working exploit was published on by researcher hyp3rlinx, demonstrating the practical exploitability of this issue. The sc qc command revealed that the service was configured to run as LocalSystem , further confirming the elevated execution context. A working exploit was published on by researcher

sc config "ServiceName" binPath= "\"C:\Program Files\NSSM\nssm.exe\" install..." Use code with caution. 2. Upgrade NSSM

For system administrators, the key takeaways are clear:

$ icacls nssm.exe nssm.exe Everyone:(I)(F) # <-- Full control for Everyone!