CVE-2024-29187: WiX based installers are vulnerable to binary hijack when run as SYSTEM

First published: Sun Mar 24 2024(Updated: )

### Summary Burn uses an unprotected C:\Windows\Temp directory to copy binaries and run them from there. This directory is not entirely protected against low privilege users. ### Details When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\Windows\Temp to drop and load multiple binaries. Standard users can hijack the binary before it's loaded in the application resulting in elevation of privileges. icacls c:\windows\temp **BUILTIN\Users:(CI)(S,WD,AD,X)** BUILTIN\Administrators:(F) BUILTIN\Administrators:(OI)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(F) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) CREATOR OWNER:(OI)(CI)(IO)(F) Built in users(non-administrators) have special permissions to this folder and can create files and write to this directory. While they do not have explicit read permissions, there is a way they can monitor the changes to this directory using ReadDirectoryChangesW API and thus figure out randomized folder names created inside this directory as wel   ### PoC PoC works against the against visual studio enterprise with update 3 [installer ](https://myvs.download.prss.microsoft.com/dbazure/en_visual_studio_enterprise_2015_with_update_3_x86_x64_dvd_8923288.iso?t=8132cd54-4b83-4478-8b73-fd9eb93437bf&P1=1709239640&P2=601&P3=2&P4=iorgKPv%2bG8n2NANTPUVoB92rr8t3W4XM594%2f9BtQQJrYrr8SwxGDxV%2fj%2f2F6Ulto0bXrIaFoZUr4yV37YAsOZVpM29IMtQEO0673AbDVuTe93qDb6wb7xdlpZSse0LZURUwwIFw5cwHQS2ZtvkunXE0osgXtEBT2IzVbPwVH39%2fum854xb4e2Dp61wgNrMZcOLLluBbeA3KX1sP3mm7WAWXBvlFiQWEnTfR5XH5mlLyPy2qfqCXWCjl84jNX7uY%2bpLR1IbfeD2JlcIQNeW2QrvmmqRrRbGvvaCA97IaSjM16XcDqVjvAEGW3sWXUc7y%2fEf68WZIyT7iilaEDUvaqqA%3d%3d&su=1) #### Reproduction steps As a standard user, run the poc. Mount the iso and run visual studio installer as local system account. The PoC should hijack the the binaries dropped by vs installer and a child process "notepad.exe" will be running. ### Impact This is an Elevation of Privilege Vulnerability where a low privileged user can hijack binaries in an unprotected path C:\Windows\Temp to elevate to the SYSTEM user privileges.

Credit: security-advisories@github.com security-advisories@github.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/weakness
• agent/title
• agent/first-publish-date
• agent/type
• collector/nvd-api
• source/NVD
• collector/nvd-cve
• agent/author
• collector/github-advisory-latest
• source/GitHub
• alias/GHSA-rf39-3f98-xr7r
• alias/CVE-2024-29187
• agent/software-canonical-lookup
• collector/github-advisory
• agent/epss
• collector/epss-latest
• source/FIRST
• agent/references
• agent/severity
• agent/description
• agent/event
• collector/mitre-cve
• source/MITRE
• agent/last-modified-date
• collector/msrc
• source/Microsoft
• collector/msrc-cve
• agent/trending
• agent/source
• agent/software-canonical-lookup-request
• agent/tags
• agent/softwarecombine
• package-manager/nuget
• vendor/microsoft
• canonical/microsoft visual studio 2019
• version/microsoft visual studio 2019/16.11
• canonical/microsoft visual studio 2017
• version/microsoft visual studio 2017/15.9
• canonical/visual studio community 2022
• version/visual studio community 2022/17.10
• version/visual studio community 2022/17.6
• version/visual studio community 2022/17.4
• version/visual studio community 2022/17.8