[wix-users] zip slip and WiX toolset

Wally Wojciechowski Wally.Wojciechowski at imanage.com
Wed Sep 26 07:01:18 PDT 2018


The one hole I think that exists with the MSI engine is using a transform and applying on an unsigned MSI that gets elevated privileges which shows the importance of signing your installs.

________________________________
From: Edwin Castro <egcastr at gmail.com>
Sent: Monday, September 24, 2018 2:00:16 PM
To: WiX Toolset Users Mailing List
Cc: Wally Wojciechowski
Subject: Re: [wix-users] zip slip and WiX toolset

I'm not an authority but ... I don't think standard Windows Installer packages, the Windows Installer engine, Wix standard custom actions, nor the WiX Burn engine are vulnerable to Zip Slip.

First, you need code that extracts archives without validation of destinatiin targets. I think, but have not verified, that the Windows Installer engine, WiX Burn engine, and WiX standard custom actions extract files to specific target directories that have been specified *without* relative paths. These target directories are not specified by the archives themselves but rather by the Windows Installer package tables or embbeded manifest.

If you had a non-compressed payload or media, then you might have the second condition required (the malicious archive) since an attacker could try to intercept/replace a cab or similar archive. But that is the reason we should sign our archives, to know they were not tampered. If the non-compressed archive was tampered, then the target directory was still determined by the msi tables or manifest so the malicious archive could deliver untrusted content but it will not be delivered to "outside" directories.

Obviously, custom action authors need to analyze their extraction code and archives if they use any.

--
Edwin G. Castro


On Mon, Sep 24, 2018, 11:38 Wally Wojciechowski via wix-users <wix-users at lists.wixtoolset.org<mailto:wix-users at lists.wixtoolset.org>> wrote:
Outside of custom action code that extracts an archive(which is on the custom action author), can anyone point to a way where someone has exploited the WiX standard bootstrapper or a WiX generated MSI using zip slip? We are analyzing our build and packaging and need to cover all bases. From my understanding this seems impossible but I want to be sure.


Thanks,

Wally Wojciechowski

Disclaimer

This is an email from iManage. The information contained in it and in any attachments is proprietary and confidential and is designated solely for the attention and use of the intended recipient(s).
If you are not the intended recipient(s), please notify the sender immediately and then delete it (and any attachment) from your computer system(s).
Any form of distribution, copying or use of this e-mail or any part of it is strictly prohibited.
iManage does not accept legal responsibility for the contents of this e-mail and opinions expressed in it may not necessarily reflect those of the company.
iManage does not accept liability for errors or omissions, or for any damage caused by viruses or other harmful programme routines.

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/<http://www.firegiant.com/>

Disclaimer

This is an email from iManage. The information contained in it and in any attachments is proprietary and confidential and is designated solely for the attention and use of the intended recipient(s). 
If you are not the intended recipient(s), please notify the sender immediately and then delete it (and any attachment) from your computer system(s). 
Any form of distribution, copying or use of this e-mail or any part of it is strictly prohibited. 
iManage does not accept legal responsibility for the contents of this e-mail and opinions expressed in it may not necessarily reflect those of the company. 
iManage does not accept liability for errors or omissions, or for any damage caused by viruses or other harmful programme routines.



More information about the wix-users mailing list