GHSA-RF39-3F98-XR7R

Vulnerability from github – Published: 2024-03-25 19:42 – Updated: 2024-03-25 19:42
VLAI?
Summary
WiX based installers are vulnerable to binary hijack when run as SYSTEM
Details

Summary

Burn uses an unprotected C:\Windows\Temp directory to copy binaries and run them from there. This directory is not entirely protected against low privilege users.

Details

When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\Windows\Temp to drop and load multiple binaries. Standard users can hijack the binary before it's loaded in the application resulting in elevation of privileges.

icacls c:\windows\temp

BUILTIN\Users:(CI)(S,WD,AD,X) BUILTIN\Administrators:(F) BUILTIN\Administrators:(OI)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(F) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) CREATOR OWNER:(OI)(CI)(IO)(F)

Built in users(non-administrators) have special permissions to this folder and can create files and write to this directory. While they do not have explicit read permissions, there is a way they can monitor the changes to this directory using ReadDirectoryChangesW API and thus figure out randomized folder names created inside this directory as wel  

PoC

PoC works against the against visual studio enterprise with update 3 installer

Reproduction steps

As a standard user, run the poc. Mount the iso and run visual studio installer as local system account. The PoC should hijack the the binaries dropped by vs installer and a child process "notepad.exe" will be running.

Impact

This is an Elevation of Privilege Vulnerability where a low privileged user can hijack binaries in an unprotected path C:\Windows\Temp to elevate to the SYSTEM user privileges.

Severity ?
7.3 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "wix"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.14.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "wix"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "WixToolset.Sdk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-29187"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-732"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-25T19:42:32Z",
    "nvd_published_at": "2024-03-24T20:15:08Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nBurn uses an unprotected C:\\Windows\\Temp directory to copy binaries and run them from there. This directory is not entirely protected against low privilege users. \n\n### Details\nWhen a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\\Windows\\Temp to drop and load multiple binaries. Standard users can hijack the binary before it\u0027s loaded in the application resulting in elevation of privileges.\n\nicacls c:\\windows\\temp\n\n   **BUILTIN\\Users:(CI)(S,WD,AD,X)** \nBUILTIN\\Administrators:(F)\nBUILTIN\\Administrators:(OI)(CI)(IO)(F)\nNT AUTHORITY\\SYSTEM:(F)\nNT AUTHORITY\\SYSTEM:(OI)(CI)(IO)(F)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n                \nBuilt in users(non-administrators) have special permissions to this folder and can create files and write to this directory. While they do not have explicit read permissions, there is a way they can monitor the changes to this directory using ReadDirectoryChangesW API and thus figure out randomized folder names created inside this directory as wel\n\u00a0\n\n### PoC\n\n PoC works against the against visual studio enterprise with update 3 [installer ](https://myvs.download.prss.microsoft.com/dbazure/en_visual_studio_enterprise_2015_with_update_3_x86_x64_dvd_8923288.iso?t=8132cd54-4b83-4478-8b73-fd9eb93437bf\u0026P1=1709239640\u0026P2=601\u0026P3=2\u0026P4=iorgKPv%2bG8n2NANTPUVoB92rr8t3W4XM594%2f9BtQQJrYrr8SwxGDxV%2fj%2f2F6Ulto0bXrIaFoZUr4yV37YAsOZVpM29IMtQEO0673AbDVuTe93qDb6wb7xdlpZSse0LZURUwwIFw5cwHQS2ZtvkunXE0osgXtEBT2IzVbPwVH39%2fum854xb4e2Dp61wgNrMZcOLLluBbeA3KX1sP3mm7WAWXBvlFiQWEnTfR5XH5mlLyPy2qfqCXWCjl84jNX7uY%2bpLR1IbfeD2JlcIQNeW2QrvmmqRrRbGvvaCA97IaSjM16XcDqVjvAEGW3sWXUc7y%2fEf68WZIyT7iilaEDUvaqqA%3d%3d\u0026su=1)\n\n#### Reproduction steps\nAs a standard user, run the poc.\nMount the iso and run visual studio installer as local system account.\nThe PoC should hijack the the binaries dropped by vs installer and a child process \"notepad.exe\" will be running.\n\n### Impact\nThis is an Elevation of Privilege Vulnerability where a low privileged user can hijack binaries in an unprotected path C:\\Windows\\Temp to elevate to the SYSTEM user privileges. ",
  "id": "GHSA-rf39-3f98-xr7r",
  "modified": "2024-03-25T19:42:32Z",
  "published": "2024-03-25T19:42:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29187"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/wixtoolset/issues"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "WiX based installers are vulnerable to binary hijack when run as SYSTEM"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.