CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
21.5%
.be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges.
If the bundle is not run as admin, the user’s TEMP folder is used and not the system TEMP folder. A utility is able to monitor the user’s TEMP folder for changes and drop its own DLL into the .be/<bundle>.Local folder immediately when the .be folder is created. When the burn engine elevates, the malicious DLL receives elevated privileges.
As a standard, non-admin user:
Proper naming for the path can be obtained by using GetModuleHandle(“comctl32.dll”) and GetModuleFileName.
DLL redirection utilizing .exe.Local Windows capability. This impacts any installer built with the WiX installer framework.
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
21.5%