Nssm224 Privilege Escalation Updated — __hot__

: They verify if the directory permissions allow standard users to write data.

: The attacker enumerates running services to identify processes executing under administrative contexts.

The nssm (Non-Sucking Service Manager) is a service manager for Windows that allows users to manage and monitor system services. Version 224 of nssm has been identified as vulnerable to a privilege escalation attack. This report summarizes the findings and provides recommendations for mitigation.

However, recent Windows 11 Insider builds present a new prompt when ChangeServiceConfig is called by a non-system process with a modified binary path. This is not yet backported to Server 2022 or Windows 10. nssm224 privilege escalation updated

: If the NSSM binary ( nssm.exe ) or the target application binary it launches resides in a directory where low-privilege users have modification rights, an attacker can replace the legitimate file with a malicious payload.

NSSM is used to launch third-party applications (e.g., node.js servers, Java applications, custom scripts) as background Windows services. When NSSM launches a service, it continuously monitors the application. If the application crashes, NSSM immediately restarts it. The Core Vector: Weak Permissions & Binary Replacement

To trigger the execution, the service must be restarted. If the low-privilege user has permissions to restart the service, they can execute: net stop ExampleService && net start ExampleService Use code with caution. : They verify if the directory permissions allow

Ensure that if utility frameworks or wrapper binaries are utilized, they are pulled from official, maintained repositories, signed internally, and validated against known vulnerability databases regularly. 6. Conclusion

Brief summary of how NSSM (a popular wrapper for running arbitrary executables as Windows services) can be abused by low-privileged users to escalate to SYSTEM if certain configuration weaknesses exist – specifically insecure registry permissions, service binary replacement, or command-line injection.

reg add "HKLM\SYSTEM\CurrentControlSet\Services\ExampleService\Parameters" /v Application /t REG_SZ /d "C:\Temp\exploit.exe" /f Use code with caution. 3. Service Restart Version 224 of nssm has been identified as

Researchers found that the permissions on nssm.exe were not secured properly. The weakness is categorized as , where the product does not verify a user’s identity before allowing modification of a critical resource.

If the low-privileged user has permission to restart the service, they execute: net stop InsecureService && net start InsecureService Use code with caution.

The most critical defense is ensuring that only administrators have write access to directories where service binaries and configurations are stored. Low-privileged accounts should only have Read & Execute permissions.

Provide to scan for vulnerable NSSM services.