[wix-users] zip slip and WiX toolset

Wed Sep 26 07:01:51 PDT 2018

Use my WiX extension: https://www.nuget.org/packages/PanelSwWixExtension     <PanelSW:Unzip Id="_1" TargetFolder="[INSTALLFOLDER]" ZipFile="[INSTALLFOLDER]\1.zip" Overwrite="yes"><![CDATA[Not Installed]]></PanelSW:Unzip> -- Nir Bar WiX Expert ---- On Mon, 24 Sep 2018 22:00:16 +0300 Edwin Castro via wix-users <wix-users at lists.wixtoolset.org> wrote ---- I'm not an authority but ... I don't think standard Windows Installer packages, the Windows Installer engine, Wix standard custom actions, nor the WiX Burn engine are vulnerable to Zip Slip. First, you need code that extracts archives without validation of destinatiin targets. I think, but have not verified, that the Windows Installer engine, WiX Burn engine, and WiX standard custom actions extract files to specific target directories that have been specified *without* relative paths. These target directories are not specified by the archives themselves but rather by the Windows Installer package tables or embbeded manifest. If you had a non-compressed payload or media, then you might have the second condition required (the malicious archive) since an attacker could try to intercept/replace a cab or similar archive. But that is the reason we should sign our archives, to know they were not tampered. If the non-compressed archive was tampered, then the target directory was still determined by the msi tables or manifest so the malicious archive could deliver untrusted content but it will not be delivered to "outside" directories. Obviously, custom action authors need to analyze their extraction code and archives if they use any. -- Edwin G. Castro On Mon, Sep 24, 2018, 11:38 Wally Wojciechowski via wix-users < wix-users at lists.wixtoolset.org> wrote: > Outside of custom action code that extracts an archive(which is on the > custom action author), can anyone point to a way where someone has > exploited the WiX standard bootstrapper or a WiX generated MSI using zip > slip? We are analyzing our build and packaging and need to cover all bases. > From my understanding this seems impossible but I want to be sure. > > > Thanks, > > Wally Wojciechowski > > Disclaimer > > This is an email from iManage. The information contained in it and in any > attachments is proprietary and confidential and is designated solely for > the attention and use of the intended recipient(s). > If you are not the intended recipient(s), please notify the sender > immediately and then delete it (and any attachment) from your computer > system(s). > Any form of distribution, copying or use of this e-mail or any part of it > is strictly prohibited. > iManage does not accept legal responsibility for the contents of this > e-mail and opinions expressed in it may not necessarily reflect those of > the company. > iManage does not accept liability for errors or omissions, or for any > damage caused by viruses or other harmful programme routines. > > ____________________________________________________________________ > WiX Toolset Users Mailing List provided by FireGiant > http://www.firegiant.com/ > ____________________________________________________________________ WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/