GHSA-7wh2-wxc7-9ph5

Source

https://github.com/advisories/GHSA-7wh2-wxc7-9ph5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-7wh2-wxc7-9ph5/GHSA-7wh2-wxc7-9ph5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-7wh2-wxc7-9ph5

Aliases

CVE-2024-24810

Published

2024-02-08T18:23:49Z

Modified

2024-02-16T08:11:54.145753Z

Severity

8.2 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator

Summary

WiX Toolset's .be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges

Details

Summary

.be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges.

Details

If the bundle is not run as admin, the user's TEMP folder is used and not the system TEMP folder. A utility is able to monitor the user's TEMP folder for changes and drop its own DLL into the .be/<bundle>.Local folder immediately when the .be folder is created. When the burn engine elevates, the malicious DLL receives elevated privileges.

PoC

As a standard, non-admin user: 1. Monitor the user's TEMP folder for changes using ReadDirectoryChangesW 2. On FILEACTIONADDED, check if the folder name is .be 3. Create a folder in .be named after the bundle + .Local (e.g. MyInstaller.exe.Local) 4. Put the malicious COMCTL32.DLL in the .Local folder following the naming used for the real DLL (e.g. MyInstaller.exe.Local/x86microsoft.windows.common-controls.../COMCTL32.dll) 5. Do hacker things when the engine escalates and the malicious DLL is loaded

Proper naming for the path can be obtained by using GetModuleHandle("comctl32.dll") and GetModuleFileName.

Impact

DLL redirection utilizing .exe.Local Windows capability. This impacts any installer built with the WiX installer framework.

Database specific

{
    "nvd_published_at": "2024-02-07T03:15:50Z",
    "cwe_ids": [
        "CWE-426"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-08T18:23:49Z"
}

References

Affected packages

NuGet / wix

Package

Name: wix; View open source insights on deps.dev
Purl: pkg:nuget/wix

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.0.4

Affected versions

4.*

4.0.0

4.0.0.2926-pre

4.0.0.3226-pre

4.0.0.3922-pre

4.0.0.4506-pre

4.0.0.5512-pre

4.0.1

4.0.2

4.0.3

NuGet / wix

Package

Name: wix; View open source insights on deps.dev
Purl: pkg:nuget/wix

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.14.0

Affected versions

3.*

3.6.0

3.6.0.1

3.7.0

3.7.0.1

3.8.0

3.8.0.1

3.9.0

3.9.0.1

3.9.2

3.9.2.1

3.10.0

3.10.0.1719-pre

3.10.0.1726-pre

3.10.0.2103-pre

3.10.0.2103-pre1

3.10.1

3.10.2

3.10.3

3.10.4

3.11.0

3.11.0.321-pre

3.11.0.504-pre

3.11.0.906-pre

3.11.0.1507-rc

3.11.0.1528-rc2

3.11.1

3.11.2