Nssm-2.24 Privilege Escalation Fixed [ESSENTIAL]
NSSM 2.24 is a textbook example of how a small oversight in a utility tool can lead to a full domain compromise. The privilege escalation vector is trivial to exploit yet devastating in impact. While the maintainers fixed the issue years ago, the software supply chain is messy.
NSSM-2.24 is an older release. Ensure you are using the latest stable release or patches provided by the official community maintainers. If a project is abandoned, consider migrating to built-in Windows alternatives like native PowerShell service creation templates ( New-Service ). 3. Monitor Service Registry Keys
To prevent your NSSM installation from becoming a gateway for attackers, follow these security best practices: 1. Audit File System Permissions
: Configure the service to "Log on" as a specific user with the minimum required permissions rather than the default SYSTEM account. Download - NSSM - the Non-Sucking Service Manager
If the Users or Everyone security group is granted or Full Control (F) access to the directory containing nssm.exe , or to the binary itself, the system becomes completely vulnerable. The Attack Vector Breakdown (CVSS:3.1 / 7.8 High) nssm-2.24 privilege escalation
Secure the registry path: HKLM\System\CurrentControlSet\Services\
Attackers can install a NSSM service pointing to cmd.exe /c net user backdoor P@ssw0rd /add & net localgroup administrators backdoor /add . After the next reboot, the backdoor user is created.
Writable service binary or helper
While nssm.exe itself is a stable and legitimate administration utility, its implementation by third-party software installers and vendors frequently creates vulnerabilities. These flaws fall primarily into two categories: 1. Insecure Permissions on the Binary (Weak DACLs) NSSM 2
The attacker runs:
NSSM (the Non-Sucking Service Manager) has long been a trusted tool for Windows system administrators. Its ability to wrap virtually any executable into a Windows service made it indispensable for deploying applications like Nginx, Redis, Elasticsearch, and Python scripts as reliable background services. However, with great power comes great vulnerability. This article provides an in-depth examination of the privilege escalation vulnerabilities associated with NSSM version 2.24, offering technical analysis, exploitation methodologies, impact assessment, and comprehensive mitigation strategies for security professionals and system administrators.
: An attacker can place a malicious program.exe in C:\ or nssm.exe in C:\Program Files\ . When the service restarts, Windows may execute the attacker's file instead of the intended one, granting SYSTEM privileges . Exploitation in the Wild
Furthermore, specific to NSSM 2.24, the tool allows the modification of the AppParameters or Application registry keys (located at HKLM\SYSTEM\CurrentControlSet\Services\ServiceName\Parameters ) without strict integrity checks if the attacker has sufficient privileges to modify the service configuration (often achievable via standard user rights if service permissions are misconfigured). NSSM-2
A list of that offer better security defaults Let me know which path you'd like to explore ! Share public link
CVE-2016-20033 Severity: High (CVSS: 7.8) Attack Vector: Local (AV:L) Privileges Required: Low (PR:L)
When NSSM 2.24 is present, it is usually targeted via three common Windows service misconfigurations: Head Mare and Twelve: Joint attacks on Russian entities