[wix-users] zip slip and WiX toolset

Wed Sep 26 09:11:29 PDT 2018

Could a transform introduce any relative paths though? Files in cabs would
still be extracted exactly to the locations specified in the tables and I
don't think you can use relative paths in tables.

Still agree all artifacts should be appropriately signed!

--
Edwin G. Castro

On Wed, Sep 26, 2018 at 7:01 AM Wally Wojciechowski <
Wally.Wojciechowski at imanage.com> wrote:

> The one hole I think that exists with the MSI engine is using a transform
> and applying on an unsigned MSI that gets elevated privileges which shows
> the importance of signing your installs.
> ------------------------------
> *From:* Edwin Castro <egcastr at gmail.com>
> *Sent:* Monday, September 24, 2018 2:00:16 PM
> *To:* WiX Toolset Users Mailing List
> *Cc:* Wally Wojciechowski
> *Subject:* Re: [wix-users] zip slip and WiX toolset
>
> I'm not an authority but ... I don't think standard Windows Installer
> packages, the Windows Installer engine, Wix standard custom actions, nor
> the WiX Burn engine are vulnerable to Zip Slip.
>
> First, you need code that extracts archives without validation of
> destinatiin targets. I think, but have not verified, that the Windows
> Installer engine, WiX Burn engine, and WiX standard custom actions extract
> files to specific target directories that have been specified *without*
> relative paths. These target directories are not specified by the archives
> themselves but rather by the Windows Installer package tables or embbeded
> manifest.
>
> If you had a non-compressed payload or media, then you might have the
> second condition required (the malicious archive) since an attacker could
> try to intercept/replace a cab or similar archive. But that is the reason
> we should sign our archives, to know they were not tampered. If the
> non-compressed archive was tampered, then the target directory was still
> determined by the msi tables or manifest so the malicious archive could
> deliver untrusted content but it will not be delivered to "outside"
> directories.
>
> Obviously, custom action authors need to analyze their extraction code and
> archives if they use any.
>
> --
> Edwin G. Castro
>
>
> On Mon, Sep 24, 2018, 11:38 Wally Wojciechowski via wix-users <
> wix-users at lists.wixtoolset.org> wrote:
>
> Outside of custom action code that extracts an archive(which is on the
> custom action author), can anyone point to a way where someone has
> exploited the WiX standard bootstrapper or a WiX generated MSI using zip
> slip? We are analyzing our build and packaging and need to cover all bases.
> From my understanding this seems impossible but I want to be sure.
>
>
> Thanks,
>
> Wally Wojciechowski
>
> Disclaimer
>
> This is an email from iManage. The information contained in it and in any
> attachments is proprietary and confidential and is designated solely for
> the attention and use of the intended recipient(s).
> If you are not the intended recipient(s), please notify the sender
> immediately and then delete it (and any attachment) from your computer
> system(s).
> Any form of distribution, copying or use of this e-mail or any part of it
> is strictly prohibited.
> iManage does not accept legal responsibility for the contents of this
> e-mail and opinions expressed in it may not necessarily reflect those of
> the company.
> iManage does not accept liability for errors or omissions, or for any
> damage caused by viruses or other harmful programme routines.
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant
> http://www.firegiant.com/
>
>