[wix-users] zip slip and WiX toolset

Christopher Painter chrpai at iswix.com
Wed Sep 26 13:10:26 PDT 2018


True, but let's be honest... how many people just click OK?    And how many people really do LUAPatching?      

Everywhere that I've ever worked, non-administrators can install stuff (MSI or not)  via tools like SCCM Software Center.  Users with admin rights just download and click next next next....

If it makes someone feel better to look at my MSI and see that it's signed, great!   But honestly there was a period if several years where I didn't bother because they made it so f* hard to get my cert renewed.  I didn't get one single complaint.   Now I sign again... for the next couple years that it is.  If renewing my cert goes well I'll keep doing it.   Otherwise it all feels like a $$$ racket to me.    Someone is trusting Microsoft to trust some root to trust some intermediary to trust some company who trusts some reseller that I really am me. Hmmm ok.  Better than nothing I guess.


-----Original Message-----
From: Hoover, Jacob <Jacob.Hoover at greenheck.com> 
Sent: Wednesday, September 26, 2018 2:59 PM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>; Edwin Castro <egcastr at gmail.com>
Cc: Christopher Painter <chrpai at iswix.com>
Subject: RE: [wix-users] zip slip and WiX toolset

Digitally signed installations ensure the end user that the installer is from a trusted source.  When the UAC dialog prompts for administrative access, the user is presented with the info about the publisher.

In addition to signing the MSI, you can also sign the CAB files which will ensure the CAB's haven't been tampered with as well.

If you also embed the certificate into the installer (along with signing the MSI's), if the end users machine is appropriately configured, non-administrator users can invoke LUAPatching abilities and update per-machine installs without administrator intervention (assuming the MSP is also signed).

-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Christopher Painter via wix-users
Sent: Wednesday, September 26, 2018 2:49 PM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>; Edwin Castro <egcastr at gmail.com>
Cc: Christopher Painter <chrpai at iswix.com>
Subject: Re: [wix-users] zip slip and WiX toolset

Maybe I'm looking at only one side of the same coin but I see no security benefits of signing installs.   The only benefit that causes me to sign my builds is that if I get a support issue I can be sure it wasn't tampered with.  But that's more of CM tracability thing for me.  

My installers are per-machine and require elevation anyways to install.    You can transform and do whatever you like but so what.  The user already had to have elevation in the first place.

-----Original Message-----
From: wix-users <wix-users-bounces at lists.wixtoolset.org> On Behalf Of Wally Wojciechowski via wix-users
Sent: Wednesday, September 26, 2018 9:01 AM
To: Edwin Castro <egcastr at gmail.com>; WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Cc: Wally Wojciechowski <Wally.Wojciechowski at imanage.com>
Subject: Re: [wix-users] zip slip and WiX toolset

The one hole I think that exists with the MSI engine is using a transform and applying on an unsigned MSI that gets elevated privileges which shows the importance of signing your installs.

________________________________
From: Edwin Castro <egcastr at gmail.com>
Sent: Monday, September 24, 2018 2:00:16 PM
To: WiX Toolset Users Mailing List
Cc: Wally Wojciechowski
Subject: Re: [wix-users] zip slip and WiX toolset

I'm not an authority but ... I don't think standard Windows Installer packages, the Windows Installer engine, Wix standard custom actions, nor the WiX Burn engine are vulnerable to Zip Slip.

First, you need code that extracts archives without validation of destinatiin targets. I think, but have not verified, that the Windows Installer engine, WiX Burn engine, and WiX standard custom actions extract files to specific target directories that have been specified *without* relative paths. These target directories are not specified by the archives themselves but rather by the Windows Installer package tables or embbeded manifest.

If you had a non-compressed payload or media, then you might have the second condition required (the malicious archive) since an attacker could try to intercept/replace a cab or similar archive. But that is the reason we should sign our archives, to know they were not tampered. If the non-compressed archive was tampered, then the target directory was still determined by the msi tables or manifest so the malicious archive could deliver untrusted content but it will not be delivered to "outside" directories.

Obviously, custom action authors need to analyze their extraction code and archives if they use any.

--
Edwin G. Castro


On Mon, Sep 24, 2018, 11:38 Wally Wojciechowski via wix-users <wix-users at lists.wixtoolset.org<mailto:wix-users at lists.wixtoolset.org>> wrote:
Outside of custom action code that extracts an archive(which is on the custom action author), can anyone point to a way where someone has exploited the WiX standard bootstrapper or a WiX generated MSI using zip slip? We are analyzing our build and packaging and need to cover all bases. From my understanding this seems impossible but I want to be sure.


Thanks,

Wally Wojciechowski

Disclaimer

This is an email from iManage. The information contained in it and in any attachments is proprietary and confidential and is designated solely for the attention and use of the intended recipient(s).
If you are not the intended recipient(s), please notify the sender immediately and then delete it (and any attachment) from your computer system(s).
Any form of distribution, copying or use of this e-mail or any part of it is strictly prohibited.
iManage does not accept legal responsibility for the contents of this e-mail and opinions expressed in it may not necessarily reflect those of the company.
iManage does not accept liability for errors or omissions, or for any damage caused by viruses or other harmful programme routines.

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/<http://www.firegiant.com/>

Disclaimer

This is an email from iManage. The information contained in it and in any attachments is proprietary and confidential and is designated solely for the attention and use of the intended recipient(s). 
If you are not the intended recipient(s), please notify the sender immediately and then delete it (and any attachment) from your computer system(s). 
Any form of distribution, copying or use of this e-mail or any part of it is strictly prohibited. 
iManage does not accept legal responsibility for the contents of this e-mail and opinions expressed in it may not necessarily reflect those of the company. 
iManage does not accept liability for errors or omissions, or for any damage caused by viruses or other harmful programme routines.

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/


More information about the wix-users mailing list