The second finding involves NSSM’s Startup directory setting. By default, NSSM launches the service within the directory of the target executable. If the attacker can write to a parent directory, they can perform a DLL planting attack:
Despite being over a decade old, nssm224 remains viable because: nssm224 privilege escalation updated
Change service permissions (example to remove change-config from non-admins — use srvany/sc.exe or SubInACL carefully): However, in the context of red teaming and
Ensure all service binary paths are enclosed in quotes to prevent unquoted service path attacks. NSSM 2
However, in the context of red teaming and penetration testing, NSSM 2.24 has become a notorious binary for unintended privilege escalation. Recently, updated research has shed light on specific configurations and default behaviors in version 2.24 that, while patched or altered in later forks, remain exploitable on legacy systems and misconfigured enterprise environments.
Manually restrict ACLs on the service Parameters registry key. NSSM 2.24 does not do this automatically.
A vulnerability was discovered in nssm 224 that allows a low-privileged user to elevate their privileges to those of a higher-privileged user, potentially leading to system compromise. The vulnerability is caused by an improper handling of certain commands and parameters, which can be exploited by an attacker to execute arbitrary code with elevated privileges.