7.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-g4v6-69p6-q3p4

EPSS Score

CWE

Published

3/25/2024

Updated

3/25/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-g4v6-69p6-q3p4

GHSA-g4v6-69p6-q3p4: WiX Burn-based bundles are vulnerable to binary hijack when run as SYSTEM

Summary

Burn uses an unprotected C:\Windows\Temp directory to copy binaries and run them from there. This directory is not entirely protected against low privilege users.

Details

When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\Windows\Temp to drop and load multiple binaries. Standard users can hijack the binary before it's loaded in the application resulting in elevation of privileges.

icacls c:\windows\temp

BUILTIN\Users:(CI)(S,WD,AD,X)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)

Built in users(non-administrators) have special permissions to this folder and can create files and write to this directory. While they do not have explicit read permissions, there is a way they can monitor the changes to this directory using ReadDirectoryChangesW API and thus figure out randomized folder names created inside this directory as wel

PoC

PoC works against the against visual studio enterprise with update 3 installer

Reproduction steps

As a standard user, run the poc. Mount the iso and run visual studio installer as local system account. The PoC should hijack the the binaries dropped by vs installer and a child process "notepad.exe" will be running.

Impact

This is an Elevation of Privilege Vulnerability where a low privileged user can hijack binaries in an unprotected path C:\Windows\Temp to elevate to the SYSTEM user privileges.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-g4v6-69p6-q3p4

GHSA-g4v6-69p6-q3p4:

7.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-g4v6-69p6-q3p4

EPSS Score

CWE

Published

3/25/2024

Updated

3/25/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
PanelSwWix4.Sdk	nuget	<= 5.0.0-psw-wix.0262-48	5.0.0-psw-wix.0265-49

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from Burn using C:\Windows\Temp with insecure permissions when elevated. The key functions are:

CacheEnsureBaseWorkingFolder - Directly responsible for creating working directories without proper ACLs when elevated
CopyEngineToWorkingFolder - Handles copying sensitive binaries to these insecure locations
DirEnsureExists calls - The mechanism that actually created the directories with weak permissions

The commit diff shows these functions were modified to add SDDL-based security descriptors (D:PAI...SY) when elevated, confirming they were the vulnerable points. The original implementation lacked these protections, allowing non-admin users to write to working directories through inherited C:\Windows\Temp permissions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.3

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-g4v6-69p6-q3p4: WiX Burn-based bundles are vulnerable to binary hijack when run as SYSTEM

Summary

Details

PoC

Reproduction steps

Impact

GHSA-g4v6-69p6-q3p4:

7.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

7.3

7.3

GHSA-g4v6-69p6-q3p4: WiX Burn-based bundles are vulnerable to binary hijack when run as SYSTEM

Summary

Details

PoC

Reproduction steps

Impact

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI