Nssm-2.24 Privilege Escalation !free! [DIRECT]
Avoid running NSSM services as NT AUTHORITY\SYSTEM unless absolutely necessary. Instead, create a dedicated Managed Service Account (MSA) or a standard local user account with the bare minimum privileges required to run the application. 4. Keep Software Updated
$ sc stop SomeService && sc start SomeService
Conduct regular vulnerability scans to identify instances of weak file permissions on service executables. Automate checks for the Authenticated Users:(C) permission pattern.
References and further reading
accesschk.exe -accepteula -uvwqk "HKLM\SYSTEM\CurrentControlSet\Services\MyNSSMService"
or the binary it wraps has "Full Control" or "Write" permissions for the "Users" group, an attacker can replace the binary with a malicious one. Abuse by Malware
The service controller executes C:\Program.exe , giving the attacker full control over the machine. Why NSSM 2.24 Specifically? nssm-2.24 privilege escalation
sc config MyNSSMService binPath= "cmd.exe /c C:\temp\reverse_shell.exe"
While the described vulnerabilities are file-permission issues, NSSM itself has historically been used as a in advanced attacks. Security researchers and penetration testers have used NSSM to elevate privileges or maintain access after gaining an initial foothold:
Verify that low-privileged accounts cannot modify the registry keys associated with Windows services. Avoid running NSSM services as NT AUTHORITY\SYSTEM unless
Avoid running services under the LocalSystem account whenever possible. Configure services to run under dedicated low-privilege service accounts with only the minimum permissions necessary for the application to function.
NSSM operates by acting as a wrapper. When you register a service using NSSM, Windows actually starts nssm.exe . In turn, NSSM reads configuration parameters from the Windows Registry to determine which actual executable, arguments, and I/O redirection to spin up.
Do you need a script to across your network? Keep Software Updated $ sc stop SomeService &&
Perhaps the most famous NSSM-related vulnerability is , which affected Apache CouchDB version 2.0.0 on Windows. The vulnerability stemmed from the same fundamental issue: weak file permissions allowing non-privileged users to replace the nssm.exe binary used by the CouchDB service.
The most significant risk with NSSM 2.24 is the vulnerability. This occurs when the path to the nssm.exe binary or the application it manages contains spaces and is not enclosed in quotation marks.