Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yZjM5LTNmOTgteHI3cs4AA6Ri
WiX based installers are vulnerable to binary hijack when run as SYSTEM
Summary
Burn uses an unprotected C:\Windows\Temp directory to copy binaries and run them from there. This directory is not entirely protected against low privilege users.
Details
When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\Windows\Temp to drop and load multiple binaries. Standard users can hijack the binary before it's loaded in the application resulting in elevation of privileges.
icacls c:\windows\temp
BUILTIN\Users:(CI)(S,WD,AD,X)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)
Built in users(non-administrators) have special permissions to this folder and can create files and write to this directory. While they do not have explicit read permissions, there is a way they can monitor the changes to this directory using ReadDirectoryChangesW API and thus figure out randomized folder names created inside this directory as wel
PoC
PoC works against the against visual studio enterprise with update 3 installer
Reproduction steps
As a standard user, run the poc.
Mount the iso and run visual studio installer as local system account.
The PoC should hijack the the binaries dropped by vs installer and a child process "notepad.exe" will be running.
Impact
This is an Elevation of Privilege Vulnerability where a low privileged user can hijack binaries in an unprotected path C:\Windows\Temp to elevate to the SYSTEM user privileges.
Permalink: https://github.com/advisories/GHSA-rf39-3f98-xr7rJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yZjM5LTNmOTgteHI3cs4AA6Ri
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 10 months ago
Updated: 10 months ago
CVSS Score: 7.3
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00045
EPSS Percentile: 0.17541
Identifiers: GHSA-rf39-3f98-xr7r, CVE-2024-29187
References:
- https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r
- https://nvd.nist.gov/vuln/detail/CVE-2024-29187
- https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7
- https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9
- https://github.com/advisories/GHSA-rf39-3f98-xr7r
Blast Radius: 0.0
Affected Packages
nuget:WixToolset.Sdk
Dependent packages: 2Dependent repositories: 0
Downloads: 1,448,007 total
Affected Version Ranges: < 4.0.5
Fixed in: 4.0.5
All affected versions: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4
All unaffected versions: 4.0.5, 4.0.6, 5.0.0, 5.0.1, 5.0.2
nuget:wix
Dependent packages: 1Dependent repositories: 1
Downloads: 9,604,390 total
Affected Version Ranges: >= 4.0.0, < 4.0.5, < 3.14.1
Fixed in: 4.0.5, 3.14.1
All affected versions: 3.6.0, 3.7.0, 3.8.0, 3.9.0, 3.9.2, 3.10.0, 3.10.1, 3.10.2, 3.10.3, 3.10.4, 3.11.0, 3.11.1, 3.11.2, 3.14.0, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4
All unaffected versions: 3.14.1, 4.0.5, 4.0.6, 5.0.0, 5.0.1, 5.0.2