Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03d2gyLXd4YzctOXBoNc4AA5Kc
WiX Toolset's .be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges
Summary
.be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges.
Details
If the bundle is not run as admin, the user's TEMP folder is used and not the system TEMP folder. A utility is able to monitor the user's TEMP folder for changes and drop its own DLL into the .be/.Local folder immediately when the .be folder is created. When the burn engine elevates, the malicious DLL receives elevated privileges.
PoC
As a standard, non-admin user:
- Monitor the user's TEMP folder for changes using ReadDirectoryChangesW
- On FILE_ACTION_ADDED, check if the folder name is .be
- Create a folder in .be named after the bundle + .Local (e.g. MyInstaller.exe.Local)
- Put the malicious COMCTL32.DLL in the .Local folder following the naming used for the real DLL (e.g. MyInstaller.exe.Local/x86_microsoft.windows.common-controls_.../COMCTL32.dll)
- Do hacker things when the engine escalates and the malicious DLL is loaded
Proper naming for the path can be obtained by using GetModuleHandle("comctl32.dll") and GetModuleFileName.
Impact
DLL redirection utilizing .exe.Local Windows capability. This impacts any installer built with the WiX installer framework.
Permalink: https://github.com/advisories/GHSA-7wh2-wxc7-9ph5JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03d2gyLXd4YzctOXBoNc4AA5Kc
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 8.3
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Identifiers: GHSA-7wh2-wxc7-9ph5, CVE-2024-24810
References:
- https://github.com/wixtoolset/issues/security/advisories/GHSA-7wh2-wxc7-9ph5
- https://nvd.nist.gov/vuln/detail/CVE-2024-24810
- https://github.com/wixtoolset/wix/commit/fec38b6461d0551339139a2fe52403a61942adc0
- https://github.com/advisories/GHSA-7wh2-wxc7-9ph5
Blast Radius: 0.0
Affected Packages
nuget:wix
Dependent packages: 0Dependent repositories: 1
Downloads: 7,874,895 total
Affected Version Ranges: < 3.14.0, >= 4.0.0, < 4.0.4
Fixed in: 3.14.0, 4.0.4
All affected versions: 3.6.0, 3.7.0, 3.8.0, 3.9.0, 3.9.2, 3.10.0, 3.10.1, 3.10.2, 3.10.3, 3.10.4, 3.11.0, 3.11.1, 3.11.2, 4.0.0, 4.0.1, 4.0.2, 4.0.3
All unaffected versions: 3.14.0, 3.14.1, 4.0.4, 4.0.5, 5.0.0