CVE-2024-29188

WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. The custom action behind WiX's `RemoveFolderEx` functionality could allow a standard user to delete protected directories. `RemoveFolderEx` deletes an entire directory tree during installation or uninstallation. It does so by recursing every subdirectory starting at a specified directory and adding each subdirectory to the list of directories Windows Installer should delete. If the setup author instructed `RemoveFolderEx` to delete a per-user folder from a per-machine installer, an attacker could create a directory junction in that per-user folder pointing to a per-machine, protected directory. Windows Installer, when executing the per-machine installer after approval by an administrator, would delete the target of the directory junction. This vulnerability is fixed in 3.14.1 and 4.0.5.

CVSS v3 7.9 HIGH

7.9^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.5 / Impact : 5.8

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg
https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742
https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a
https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg
https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742
https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a

Configurations

No configuration.

History

21 Nov 2024, 09:07

Type	Values Removed	Values Added
Summary		(es) El conjunto de herramientas WiX permite a los desarrolladores crear instaladores para Windows Installer, el motor de instalación de Windows. La acción personalizada detrás de la funcionalidad `RemoveFolderEx` de WiX podría permitir a un usuario estándar eliminar directorios protegidos. `RemoveFolderEx` elimina un árbol de directorios completo durante la instalación o desinstalación. Lo hace recurriendo a cada subdirectorio comenzando en un directorio específico y agregando cada subdirectorio a la lista de directorios que Windows Installer debe eliminar. Si el autor de la instalación indicó a `RemoveFolderEx` que eliminara una carpeta por usuario de un instalador por máquina, un atacante podría crear una unión de directorios en esa carpeta por usuario que apunte a un directorio protegido por máquina. Windows Installer, al ejecutar el instalador por máquina después de la aprobación de un administrador, eliminaría el destino de la unión del directorio. Esta vulnerabilidad se solucionó en 3.14.1 y 4.0.5.
References	~~() https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg -~~	() https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg -
References	~~() https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742 -~~	() https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742 -
References	~~() https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a -~~	() https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a -

24 Mar 2024, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-03-24 20:15

Updated : 2024-11-21 09:07

NVD link : CVE-2024-29188

Mitre link : CVE-2024-29188

CVE.ORG link : CVE-2024-29188

JSON object : View

Products Affected

No product.

CWE

CWE-59

Improper Link Resolution Before File Access ('Link Following')

7.9 /10