Escalation Best - Nssm-2.24 Privilege

For NSSM 2.24, a critical feature to address privilege escalation vulnerabilities is a Permission Integrity Check & Lockdown module.

This feature focuses on mitigating the primary way attackers exploit NSSM: replacing the nssm.exe binary or its associated application executable due to insecure file permissions. Key Components of the "Secure Lockdown" Feature

Automated Permission Audit: Upon service installation or startup, NSSM should scan its own binary path and the target application path. It would flag if high-risk groups (e.g., "Everyone," "Users," or "Authenticated Users") have Write or Full Control permissions.

Mandatory Quoted Paths: The tool should automatically enforce quoted service paths in the Windows registry to prevent "Unquoted Service Path" exploits, where Windows might execute a malicious binary with a similar name in a parent folder.

Binary Hash Verification: A feature that allows administrators to register a SHA-256 hash of the legitimate application executable. NSSM would verify this hash before every launch; if the binary has been replaced (a common privilege escalation tactic), NSSM would refuse to start the service. nssm-2.24 privilege escalation

"Least Privilege" Mode: A toggle to ensure the service defaults to a virtual account or a low-privileged user instead of the "LocalSystem" account, which is the most frequent target for attackers looking for administrative control. Why this is needed

NSSM 2.24 is frequently cited in security advisories because third-party installers (like CouchDB or Wowza Streaming Engine) often deploy it with weak directory permissions. Because NSSM typically runs with SYSTEM privileges, any user who can replace the nssm.exe file can effectively take over the entire machine.

I can provide PowerShell scripts to manually audit your current NSSM services or help you harden the registry keys for an existing setup. Which would you prefer? CVE-2016-20033 Detail - NVD

NSSM (Non-Sucking Service Manager) version 2.24 is a popular open-source utility for running executables as Windows services. While the tool itself is generally considered legitimate, version 2.24 has been linked to various local privilege escalation (LPE) vulnerabilities, often due to how it is integrated by third-party installers rather than a fundamental flaw in its own binary. Key Privilege Escalation Vectors For NSSM 2

Attackers frequently target NSSM 2.24 installations to elevate from a low-privileged user to SYSTEM or Administrator rights using several techniques:

Improper File Permissions: Many applications bundle nssm.exe but fail to secure its directory. For example, if a "Users" group has full control (the 'F' flag) over the binary or its parent folder, an attacker can replace nssm.exe with a malicious rootkit. When the service restarts, it executes the replacement with elevated privileges.

Notable Case: CVE-2016-8742 affected Apache CouchDB, where improper directory inheritance allowed users to substitute the service launcher for their own code.

Unquoted Service Paths: If the path to nssm.exe contains spaces and is not enclosed in quotes (e.g., C:\Program Files\App\nssm.exe), Windows may attempt to execute files at every "space" in the path. An attacker can place a file like C:\Program.exe to intercept the service start and gain SYSTEM access. Insecure Default Permissions on Service Binaries – The

Permissions Misconfiguration (CVE-2025-41686): A more recent vulnerability identified in products like Phoenix Contact Device and Update Management involves misconfigured permissions on nssm.exe specifically, allowing low-privileged local attackers to gain administrative access. Vulnerability Summary Table CVE-2016-8742 Detail - NVD

What Makes NSSM 2.24 Different?

Modern service managers include safeguards against arbitrary binary replacement and insecure service configuration modification. NSSM 2.24, however, was designed for convenience—not security. Its core features that enable privilege escalation include:

  1. Insecure Default Permissions on Service Binaries – The service executables pointed to by NSSM often reside in user-writable locations.
  2. Weak ACLs on Service Configuration – NSSM stores its configuration in the registry under HKLM\SYSTEM\CurrentControlSet\Services\<ServiceName>\Parameters, but older versions fail to enforce strict permissions.
  3. No Binary Path Validation – NSSM does not verify the integrity or ownership of the target executable when starting or restarting a service.

1. Executive Summary

The Non-Sucking Service Manager (NSSM) version 2.24 is susceptible to a Local Privilege Escalation (LPE) vulnerability. NSSM is a utility used to wrap arbitrary applications as Windows Services. Due to insufficient sanitization of the application path and arguments when installed as a service, a local attacker can manipulate the service binary path to execute arbitrary code with SYSTEM privileges.

The Core Issue (CWE-269: Improper Privilege Management)

When a standard user is tricked or coerced into running NSSM 2.24 (perhaps via a phishing attack or a malicious script on a shared terminal server), the tool does not properly validate the executable path and arguments before the service starts.

More specifically, the flaw exists in how NSSM 2.24 manages the Application and AppDirectory parameters. A low-privilege user can modify the configuration of an existing NSSM-managed service or, in some versions, inject a malicious payload during the initial (aborted) installation sequence.