New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wix bundle security issues - Special permissions #6149
Comments
This is mitigated because Burn uses a random name for the folder in TEMP that is mathematically impossible to guess by an attacker. |
I can write a program that monitors the TEMP folder (Let's say using FileSystemWatcher .NET Class), immediately after a folder is created, I can replace the bootstrapper application DLL with my own DLL, before the burn loads it. |
That will only work if the program monitoring the folder is elevated. Normal users can't scan the contents of the system TEMP folder. |
This is incorrect. The elevated engine protects against this. If you have a DLL that can be injected into the elevated engine without elevating, please do open a security issue.
This is illogical. If such a folder is created with permissions preventing the user from writing to it, how would the elevated engine be placed there? |
The correct way to report security vulnerabilities is to open an advisory issue. That allows us to respond securely while investigating. |
3.11.2
Visual Studio 2019 16.5.0
Wix Toolset extension 2019 1.0.0.4
4.6.2
Windows 10, version 1903
When running an installer bundle, the content of the bundle is being extracted to a temporary folder in TEMP directory, if running normally without admin permissions, the folder is in a user's temp directory, otherwise the folder is in "C:\Windows\Temp".
I can see a security issue here:
In case of a user's temp directory, a hacker can just changed the DLLs of that folder and make the user run a malicious DLLs when he runs the bundle.
But when the folder is "C:\Windows\Temp", even though only admin suppose to have permissions there, a normal user still have "special permissions" which allows him to change the files there:
This also allow hacker to replace DLLs..
When the bundle content is extracted to "C:\Windows\Temp":
The text was updated successfully, but these errors were encountered: