Lucene search

GitHub Advisory DatabaseGHSA-JX4P-M4WM-VVJG

HistoryMar 25, 2024 - 7:42 p.m.

Malicious directory junction can cause WiX RemoveFoldersEx to possibly delete elevated files

2024-03-2519:42:17

CWE-59

GitHub Advisory Database

github.com

wix

removefolderex

directory junction

protected directories

standard user

software installation

6.8 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.1%

JSON

Summary

The custom action behind WiX’s RemoveFolderEx functionality could allow a standard user to delete protected directories.

Details

RemoveFolderEx deletes an entire directory tree during installation or uninstallation. It does so by recursing every subdirectory starting at a specified directory and adding each subdirectory to the list of directories Windows Installer should delete. If the setup author instructed RemoveFolderEx to delete a per-user folder from a per-machine installer, an attacker could create a directory junction in that per-user folder pointing to a per-machine, protected directory. Windows Installer, when executing the per-machine installer after approval by an administrator, would delete the target of the directory junction.

CPENameOperatorVersion
wixtoolset.util.wixextlt4.0.5
wixlt4.0.5
wixlt3.14.1

Name	Operator	Version
wixtoolset.util.wixext	lt	4.0.5
wix	lt	4.0.5
wix	lt	3.14.1

References

github.com/advisories/GHSA-jx4p-m4wm-vvjg

github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg

github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742

github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a

nvd.nist.gov/vuln/detail/CVE-2024-29188