8.3

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-259p-rvjx-ffwg

EPSS Score

CWE

CWE-426

Published

2/8/2024

Updated

2/8/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-259p-rvjx-ffwg

GHSA-259p-rvjx-ffwg:
Panel::Software Customized WiX .be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges

Summary

.be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges.

Details

If the bundle is not run as admin, the user's TEMP folder is used and not the system TEMP folder. A utility is able to monitor the user's TEMP folder for changes and drop its own DLL into the .be/.Local folder immediately when the .be folder is created. When the burn engine elevates, the malicious DLL receives elevated privileges.

PoC

As a standard, non-admin user:

Monitor the user's TEMP folder for changes using ReadDirectoryChangesW
On FILE_ACTION_ADDED, check if the folder name is .be
Create a folder in .be named after the bundle + .Local (e.g. MyInstaller.exe.Local)
Put the malicious COMCTL32.DLL in the .Local folder following the naming used for the real DLL (e.g. MyInstaller.exe.Local/x86_microsoft.windows.common-controls_.../COMCTL32.dll)
Do hacker things when the engine escalates and the malicious DLL is loaded

Proper naming for the path can be obtained by using GetModuleHandle("comctl32.dll") and GetModuleFileName.

Impact

DLL redirection utilizing .exe.Local Windows capability. This impacts any installer built with the WiX installer framework.

(GitHub Advisory)

8.3

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-259p-rvjx-ffwg

EPSS Score

CWE

CWE-426

Published

2/8/2024

Updated

2/8/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
PanelSW.Custom.WiX	nuget	< 3.15.0-a44	3.15.0-a44

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key behaviors: (1) using the user's TEMP directory (instead of a secure system location) when not running as admin, and (2) failing to restrict write access to the .be directory. The first function CreateTempDirectory directly creates the insecure .be folder, while the second PathGetTempPath enables the unsafe TEMP selection. Both are critical to the DLL redirection attack vector described in the advisory. The confidence is high because these functions align with the described exploit mechanics (CWE-426) and WiX Burn engine architecture, even without explicit code examples.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

# Summ*ry .** T*MP *ol**r is vuln*r**l* to *LL r**ir**tion *tt**ks t**t *llow t** *tt**k*r to *s**l*t* privil***s. # **t*ils I* t** *un*l* is not run *s **min, t** us*r's T*MP *ol**r is us** *n* not t** syst*m T*MP *ol**r. * utility is **l* to mon

Reasoning

T** vuln*r**ility st*ms *rom two k*y ****viors: (*) usin* t** us*r's T*MP *ir**tory (inst*** o* * s**ur* syst*m lo**tion) w**n not runnin* *s **min, *n* (*) **ilin* to r*stri*t writ* ****ss to t** `.**` *ir**tory. T** *irst *un*tion `*r**t*T*mp*ir**t

8.3

Basic Information

Concerned about an active attack path?

GHSA-259p-rvjx-ffwg: Panel::Software Customized WiX .be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges

Summary

Details

PoC

Impact

8.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-259p-rvjx-ffwg:
Panel::Software Customized WiX .be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges

Vulnerability Intelligence
Miggo AI