logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-29187 wix

Package

Manager: nuget
Name: wix
Vulnerable Version: >=0 <3.14.1 || >=4.0.0 <4.0.5

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00067 pctl0.21146

Details

WiX based installers are vulnerable to binary hijack when run as SYSTEM ### Summary Burn uses an unprotected C:\Windows\Temp directory to copy binaries and run them from there. This directory is not entirely protected against low privilege users. ### Details When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\Windows\Temp to drop and load multiple binaries. Standard users can hijack the binary before it's loaded in the application resulting in elevation of privileges. icacls c:\windows\temp **BUILTIN\Users:(CI)(S,WD,AD,X)** BUILTIN\Administrators:(F) BUILTIN\Administrators:(OI)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(F) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) CREATOR OWNER:(OI)(CI)(IO)(F) Built in users(non-administrators) have special permissions to this folder and can create files and write to this directory. While they do not have explicit read permissions, there is a way they can monitor the changes to this directory using ReadDirectoryChangesW API and thus figure out randomized folder names created inside this directory as wel   ### PoC PoC works against the against visual studio enterprise with update 3 [installer ](https://myvs.download.prss.microsoft.com/dbazure/en_visual_studio_enterprise_2015_with_update_3_x86_x64_dvd_8923288.iso?t=8132cd54-4b83-4478-8b73-fd9eb93437bf&P1=1709239640&P2=601&P3=2&P4=iorgKPv%2bG8n2NANTPUVoB92rr8t3W4XM594%2f9BtQQJrYrr8SwxGDxV%2fj%2f2F6Ulto0bXrIaFoZUr4yV37YAsOZVpM29IMtQEO0673AbDVuTe93qDb6wb7xdlpZSse0LZURUwwIFw5cwHQS2ZtvkunXE0osgXtEBT2IzVbPwVH39%2fum854xb4e2Dp61wgNrMZcOLLluBbeA3KX1sP3mm7WAWXBvlFiQWEnTfR5XH5mlLyPy2qfqCXWCjl84jNX7uY%2bpLR1IbfeD2JlcIQNeW2QrvmmqRrRbGvvaCA97IaSjM16XcDqVjvAEGW3sWXUc7y%2fEf68WZIyT7iilaEDUvaqqA%3d%3d&su=1) #### Reproduction steps As a standard user, run the poc. Mount the iso and run visual studio installer as local system account. The PoC should hijack the the binaries dropped by vs installer and a child process "notepad.exe" will be running. ### Impact This is an Elevation of Privilege Vulnerability where a low privileged user can hijack binaries in an unprotected path C:\Windows\Temp to elevate to the SYSTEM user privileges.

Metadata

Created: 2024-03-25T19:42:32Z
Modified: 2024-03-25T19:42:32Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-rf39-3f98-xr7r/GHSA-rf39-3f98-xr7r.json
CWE IDs: ["CWE-732"]
Alternative ID: GHSA-rf39-3f98-xr7r
Finding: F039
Auto approve: 1