Nssm-2.24 Privilege Escalation [Exclusive Deal]

If the Access Control Lists (ACLs) on these folders are misconfigured, low-privileged users (like members of the Authenticated Users or Users group) may possess write or modify permissions.

: Use sc qc [ServiceName] to check for unquoted paths or insecure binary locations.

due to common misconfigurations rather than a vulnerability in the code itself. Phoenix Contact Common Exploitation Vectors

: A known advisory (ZSL-2017-5418) highlighted how NSSM 2.24 in this software suite allowed non-privileged users to execute arbitrary code by replacing binaries in writable paths. Key Technical Details Vulnerable Version NSSM 2.24 (often bundled with third-party software) Common Path nssm-2.24 privilege escalation

If an attacker has write access to a directory involved in the service execution chain (e.g., a directory with weak permissions where the service binary resides or a path containing spaces without quotes), they can plant a malicious executable. When the service is started or restarted, the operating system or NSSM will execute the malicious file with SYSTEM privileges.

On a vulnerable system, this file will be created by SYSTEM . On a patched system, NSSM will reject the change due to validation errors.

# Find NSSM services Get-WmiObject win32_service | Where-Object $_.PathName -like "*nssm*" | Format-Table Name, StartName, PathName If the Access Control Lists (ACLs) on these

From Service Manager to SYSTEM: Abusing NSSM 2.24 for Privilege Escalation

The privilege escalation vulnerability in NSSM-2.24 arises from improper handling of service configurations and interactions with the Windows operating system. Specifically, the vulnerability allows an attacker to exploit the service manager's functionality to gain elevated privileges on the system.

Would you like a of how to detect weak NSSM service configurations instead? Phoenix Contact Common Exploitation Vectors : A known

+---------------------------+ | Windows SCM | | (Runs as NT AUTHORITY) | +-------------+-------------+ | v Launches +---------------------------+ | nssm.exe (v2.24) | <-- Targeted for Insecure Permissions or Paths +-------------+-------------+ | v Monitors & Runs +---------------------------+ | Target Application/Script | +---------------------------+

Use icacls to check if the service directory is writable. powershell icacls "C:\Path\To\NSSM\Directory" Use code with caution.