Nssm-2.24 Privilege Escalation -

Or check the registry directly:

Proofs-of-concept and tooling

The attacker checks the permissions of the directory containing the executable using icacls : icacls "C:\Program Files\NSSM" Use code with caution. nssm-2.24 privilege escalation

NSSM 2.24 itself creates a service. If the binary file of the application that NSSM is managing has weak permissions (e.g., Users: Modify or Users: Full Control ), a non-privileged user can replace the application executable with a payload. NSSM is configured to run C:\Service\App.exe . The directory C:\Service\ is writable by standard users. The user replaces App.exe with a malicious executable.

References and further research

The is a classic example of an unquoted service path vulnerability leading to full system compromise. It highlights the importance of not just using reliable tools, but configuring them correctly. By ensuring service paths are quoted and keeping software updated, organizations can easily mitigate this threat. Need to check your systems?

: It leaks thread handles when applications restart, which can lead to system instability over time. NSSM is configured to run C:\Service\App

If a service is installed with a path like C:\Program Files\My App\nssm.exe , and it is not properly quoted, Windows attempts to execute the path in the following order: C:\Program.exe (with args: Files\My App\nssm.exe ) C:\Program Files\My.exe (with args: App\nssm.exe ) C:\Program Files\My App\nssm.exe

: Ensure the directory containing nssm.exe is only writable by Administrators or the TrustedInstaller . References and further research The is a classic

Are you currently , or are you looking to secure a new deployment ?