[wix-users] Security Best Practices
fishstick.flotilla
fishstick.flotilla at protonmail.com
Mon Jul 20 13:12:54 PDT 2020
I would like to know more about WiX installer best security practices. I know this is long, but please bear with me.
During a crowd-sourced pen test of one of our products, this security flaw in the WiX bootstrapper was reported:
-
Monitor the %TEMP% directory for new directories that start with the character {, end with the character }, and contain a sub-directory named .ba. This will allow us to detect the installation directory to infect with our malicious binary.
-
After finding the installation directory, quickly place our malicious binary in a new .be sub-directory.
-
Monitor the Bootstrapper.exe binary we just copied for changes. If a change is detected, quickly replace the binary with our malicious one.
-
After the first change, the installer starts the binary and we gain Administrator privileges.
Two potential outcomes were described:
-
Our binary is replaced with an unsigned binary from the bad actor.
-
Our binary could be replaced a signed binary (either an old one of our own or another vendor’s) that is vulnerable to either "application folder" or "current directory" DLL hijacking (https://msrc-blog.microsoft.com/2018/04/04/triaging-a-dll-planting-vulnerability/ ). This is more serious, since it would appear to be coming from the correct vendor in the UAC prompt.
This bug (https://github.com/wixtoolset/issues/issues/6149) describes this as a non-issue because it “will only work if the program monitoring the folder is elevated. Normal users can't scan the contents of the system TEMP folder.”
However, this article (https://wixtoolset.org/development/wips/5184-burn-clean-room/) says that running elevated “is not normal execution for Burn.” This Stack Overflow question (https://stackoverflow.com/questions/50720476/wix-3-11-1-burn-bootstrapper-fails-to-elevate) and this bug report (https://github.com/wixtoolset/issues/issues/5830) do not leave me with good impressions of elevated execution support.
When WiX runs unelevated the files are created in the user’s own temp folder where a malicious process running as the user could access without a UAC prompt which brings us back to the original issue.
What is the recommended solution to protect our users from this? Is running the bootstrapper EXE elevated currently a supported scenario in WiX?
We want to make sure we are delivering the most secure solution possible.
Sent with [ProtonMail](https://protonmail.com) Secure Email.
More information about the wix-users
mailing list