Wix bundle security issues - Special permissions #6149
Comments
|
This is mitigated because Burn uses a random name for the folder in TEMP that is mathematically impossible to guess by an attacker. |
I can write a program that monitors the TEMP folder (Let's say using FileSystemWatcher .NET Class), immediately after a folder is created, I can replace the bootstrapper application DLL with my own DLL, before the burn loads it. |
|
That will only work if the program monitoring the folder is elevated. Normal users can't scan the contents of the system TEMP folder. |
This is incorrect. The elevated engine protects against this. If you have a DLL that can be injected into the elevated engine without elevating, please do open a security issue.
This is illogical. If such a folder is created with permissions preventing the user from writing to it, how would the elevated engine be placed there? |
|
The correct way to report security vulnerabilities is to open an advisory issue. That allows us to respond securely while investigating. |
3.11.2
Visual Studio 2019 16.5.0
Wix Toolset extension 2019 1.0.0.4
4.6.2
Windows 10, version 1903
When running an installer bundle, the content of the bundle is being extracted to a temporary folder in TEMP directory, if running normally without admin permissions, the folder is in a user's temp directory, otherwise the folder is in "C:\Windows\Temp".
I can see a security issue here:
In case of a user's temp directory, a hacker can just changed the DLLs of that folder and make the user run a malicious DLLs when he runs the bundle.
But when the folder is "C:\Windows\Temp", even though only admin suppose to have permissions there, a normal user still have "special permissions" which allows him to change the files there:
This also allow hacker to replace DLLs..
When the bundle content is extracted to "C:\Windows\Temp":
The text was updated successfully, but these errors were encountered: