Service Binary Hijacking

One of the most common mistakes developers make is in the permission assigned to the installation folders and the executables. When full read and write permission is assigned to every user of the group, then a lower privileged user can modify and abuse the binary.

The user can replace the binary with a malicious one, the either restart the service/application or reboot the system if the application is set of auto start at boot.

The first step is to list out all the applications folders, which can be done using the list running applications command.

Then the permission of each of the folders and executables can be checked using icacls tool using this command.

The binary can be checked for Start Up Type using this command.

If the auto start is set then we can check whether the user has permission to restart the system using the command.

The system can be restarted using this command.