[wix-users] zip slip and WiX toolset

Edwin Castro egcastr at gmail.com
Mon Sep 24 12:00:16 PDT 2018 

I'm not an authority but ... I don't think standard Windows Installer
packages, the Windows Installer engine, Wix standard custom actions, nor
the WiX Burn engine are vulnerable to Zip Slip.

First, you need code that extracts archives without validation of
destinatiin targets. I think, but have not verified, that the Windows
Installer engine, WiX Burn engine, and WiX standard custom actions extract
files to specific target directories that have been specified *without*
relative paths. These target directories are not specified by the archives
themselves but rather by the Windows Installer package tables or embbeded
manifest.

If you had a non-compressed payload or media, then you might have the
second condition required (the malicious archive) since an attacker could
try to intercept/replace a cab or similar archive. But that is the reason
we should sign our archives, to know they were not tampered. If the
non-compressed archive was tampered, then the target directory was still
determined by the msi tables or manifest so the malicious archive could
deliver untrusted content but it will not be delivered to "outside"
directories.

Obviously, custom action authors need to analyze their extraction code and
archives if they use any.

--
Edwin G. Castro


On Mon, Sep 24, 2018, 11:38 Wally Wojciechowski via wix-users <
wix-users at lists.wixtoolset.org> wrote:

> Outside of custom action code that extracts an archive(which is on the
> custom action author), can anyone point to a way where someone has
> exploited the WiX standard bootstrapper or a WiX generated MSI using zip
> slip? We are analyzing our build and packaging and need to cover all bases.
> From my understanding this seems impossible but I want to be sure.
>
>
> Thanks,
>
> Wally Wojciechowski
>
> Disclaimer
>
> This is an email from iManage. The information contained in it and in any
> attachments is proprietary and confidential and is designated solely for
> the attention and use of the intended recipient(s).
> If you are not the intended recipient(s), please notify the sender
> immediately and then delete it (and any attachment) from your computer
> system(s).
> Any form of distribution, copying or use of this e-mail or any part of it
> is strictly prohibited.
> iManage does not accept legal responsibility for the contents of this
> e-mail and opinions expressed in it may not necessarily reflect those of
> the company.
> iManage does not accept liability for errors or omissions, or for any
> damage caused by viruses or other harmful programme routines.
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant
> http://www.firegiant.com/
>

More information about the wix-users mailing list