Local privilege escalation: ProgramData directories created without restrictive ACLs

[Christophe-Rogiers]

Description

When Servy creates directories under C:\ProgramData\Servy\ (db, security, recovery), no explicit ACLs are set:

Affected locations:

• src/Servy.Core/Helpers/AppFoldersHelper.cs (lines 63–65) — db\ directory
• src/Servy.Core/Security/ProtectedKeyProvider.cs (line 182) — security\ directory
• src/Servy.Service/Service.cs (line 648) — recovery\ directory

Directory.CreateDirectory(directory);  // inherits default ProgramData ACL

The default C:\ProgramData ACL grants the Users group write access to newly created subdirectories. This means any local non-admin user can:

1. Modify the SQLite database (C:\ProgramData\Servy\db\Servy.db) to change service configurations — executable path, working directory, pre/post-launch hooks, environment variables
2. Point a service's executable path to a malicious binary that then runs as the service account (potentially SYSTEM)
3. Tamper with recovery files to reset restart attempt counters or cause denial-of-service
4. Delete or corrupt DPAPI key files making all encrypted passwords unrecoverable

Severity

Critical — local privilege escalation (CWE-276: Incorrect Default Permissions). A low-privileged local user can escalate to SYSTEM by modifying the database to redirect a service's binary path.

Suggested fix

Set restrictive ACLs on C:\ProgramData\Servy\ immediately after creation:

var dirInfo = Directory.CreateDirectory(directory);
var security = dirInfo.GetAccessControl();
security.SetAccessRuleProtection(isProtected: true, preserveInheritance: false);
security.AddAccessRule(new FileSystemAccessRule(
    new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null),
    FileSystemRights.FullControl,
    InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
    PropagationFlags.None,
    AccessControlType.Allow));
security.AddAccessRule(new FileSystemAccessRule(
    new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null),
    FileSystemRights.FullControl,
    InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
    PropagationFlags.None,
    AccessControlType.Allow));
dirInfo.SetAccessControl(security);

Also ensure the installer (Inno Setup) sets the same ACLs during installation.

[aelassas]

Thank you for the detailed report and the suggested fix. This was indeed a critical security gap (CWE-276) allowing for potential Local Privilege Escalation.

Resolution:
I have implemented a dedicated security layer via SecurityHelper.CreateSecureDirectory to harden these directories. The implementation goes slightly beyond the suggested fix to ensure no "legacy" or OS-default explicit rules remain:

• Inheritance Break: I now explicitly break inheritance (isProtected: true) and discard inherited rules (preserveInheritance: false) to decouple from insecure C:\ProgramData defaults.
• Explicit Purge: The fix surgically purges explicit ACEs for the Users, Authenticated Users, and Everyone groups. This handles cases where the OS or installer might have added non-inherited "Read/Execute" rules during directory creation.
• Identity-Based Access: Access is now strictly limited to SYSTEM and Builtin Administrators. I also conditionally grant access to the Current User (e.g., the installer or developer) to ensure operational continuity and maintenance.
• Installer Sync: The Inno Setup installer has been updated to apply these identical restrictive ACLs via icacls during deployment, ensuring the "Secure by Default" posture is established before the service even starts.

Affected components updated:

• AppFoldersHelper.cs
• ProtectedKeyProvider.cs
• Service.cs
• servy.iss (Installer)

Important

This fix ensures that even if a local attacker manages to pre-create these folders, the service will "upgrade" the security and strip their access upon initialization.

[joelcharlebois]

To confirm, will an upgrade from a prior existing installation, purge those same groups? (which is good)

Also, consider the situation where the service has been configured to run as the virtual service account or other limited user, and the administrator has granted that account read/execute on these Servy folders. Could an upgrade impact these permissions?

Just want to ensure that an upgrade of Servy doesn't inadvertantly break existing services. Or otherwise if they may break, some warning may need to be issued.

Thx.

[aelassas]

@joelcharlebois

Short Answer: No, an upgrade will not inadvertently break your existing services or purge custom accounts, provided those accounts were granted explicit permissions to %ProgramData%\Servy.

Long Answer: I recently tested this exact scenario. The v7.9 installer and application startup logic use a highly targeted approach to mitigate Local Privilege Escalation (LPE), rather than a destructive "factory reset" of the folder.

Here is what happens during an upgrade:

1. Inheritance is Broken: The installer and app tell the %ProgramData%\Servy folder to stop inheriting rules from its parent directory.
2. Broad Groups are Purged: It explicitly targets and removes insecure, broad groups (Users, Authenticated Users, and Everyone).
3. Explicit Rules are Preserved: It does not wipe the entire Access Control List (ACL). If you have a Virtual Service Account (VSA) or a limited user (e.g., .\test_svc) that was explicitly granted Modify rights, those specific permissions are untouched and remain fully active.

If your limited service user was relying on the generic "Users" group to access the folder, it will lose access. If you explicitly added the service user to the folder's security tab (which is the best practice), the upgrade will respect those permissions and your services will continue running without interruption.