I am doing a security analysis and I am trying to figure out what the possible attack vectors and possibility of privilege escalation's are of the way this program is setup?
I used Attack Surface Analyzer which flagged the "MyService" installed by the program as vulnerable for tampering. At first I thought it had to do with the service's ACL and ACEs, after a lot of headaches it turned out to be that it had to do with the path where the services is being started and the directory attributes it inherits. The program is running out of the C:\ProgramData
The directories allow all "Builtin Users" "FILE_ADD_FILE FILE_ADD_SUBDIRECTORY FILE_WRITE_ATTRIBUTES FILE_WRITE_EA."
While toying around with different possibilities I was able to add files and folders within the path of the program, however I am not able to rename, delete or replace any of the files. At first I thought well if I could replace the executable file that the service is running than that would be perfect, or rename the folder and adding my own files, however it is not the case.
I also thought just may I would be able to start, stop the service or change the path for the service but that is also not allowed. I used regedit to look at the service's permission for BuiltIn users is Read only.
