Privilege escalation occurs when a standard user can trick a high-privileged process (the NSSM service) into running a malicious file. 1. Identification
If the permissions on the folder where nssm.exe or its managed application resides are weak (e.g., BUILTIN\Users has Modify or Write permissions), an attacker can replace the legitimate binary with a malicious one. Since NSSM is designed to restart services if they crash, an attacker can simply kill the process and wait for NSSM to restart their malicious version. 3. Known Bugs in v2.24
To prevent privilege escalation when using NSSM, you should follow these security best practices:
Understanding NSSM 2.24 Privilege Escalation: Vulnerability Analysis and Remediation nssm-2.24 privilege escalation
This is the most frequent cause of NSSM-related local privilege escalation.
: Many applications (e.g., Wowza Streaming Engine, Apache CouchDB, Phoenix Contact) have been found to install NSSM with "Full Control" for the "Everyone" or "Users" group. Attackers can swap the binary with a malicious executable, which then runs with SYSTEM privileges upon the next service restart.
: Attackers look for instances where NSSM has been configured with weak file permissions. If a user can overwrite nssm.exe or its configuration in the Registry (located at HKLM\System\CurrentControlSet\Services\ \Parameters ), they can point the service to a malicious script. Privilege escalation occurs when a standard user can
NSSM (Non-Sucking Service Manager) version 2.24 is a popular open-source utility for running executables as Windows services. While the tool itself is generally considered legitimate, version 2.24 has been linked to various local privilege escalation (LPE) vulnerabilities, often due to how it is integrated by third-party installers rather than a fundamental flaw in its own binary. Key Privilege Escalation Vectors
: Vulnerable because files inherited parent directory permissions, allowing non-privileged users to swap the service launcher. Wowza Streaming Engine : Allowed authenticated users to replace nssm_x64.exe to gain LocalSystem rights. National Institute of Standards and Technology (.gov) 2. Unquoted Service Path Vulnerability If NSSM is installed in a path containing spaces (e.g., C:\Program Files\App\nssm.exe ) and the service's
However, the widely used version, , possesses known security design patterns and vulnerabilities that can lead to Local Privilege Escalation (LPE) . This article explores how NSSM 2.24 can be leveraged for privilege escalation, the technical mechanics behind it, and how to defend against such threats. What is NSSM 2.24? Since NSSM is designed to restart services if
The 2.24 version is outdated, and the primary recommendation from the NSSM developers is to upgrade to the 2.25 pre-release builds, which address several bugs, including those related to service handling and stability. Immediate Mitigation Steps:
Understanding "NSSM-2.24 Privilege Escalation": Vulnerabilities, Mechanics, and Mitigation