7.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-wq88-fq4x-h2pm

EPSS Score

CWE

Published

3/25/2024

Updated

3/25/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-wq88-fq4x-h2pm

GHSA-wq88-fq4x-h2pm: WiX Burn-based bundles are vulnerable to binary hijack when run as SYSTEM

Summary

Burn uses an unprotected C:\Windows\Temp directory to copy binaries and run them from there. This directory is not entirely protected against low privilege users.

Details

When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\Windows\Temp to drop and load multiple binaries. Standard users can hijack the binary before it's loaded in the application resulting in elevation of privileges.

icacls c:\windows\temp

BUILTIN\Users:(CI)(S,WD,AD,X)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)

Built in users(non-administrators) have special permissions to this folder and can create files and write to this directory. While they do not have explicit read permissions, there is a way they can monitor the changes to this directory using ReadDirectoryChangesW API and thus figure out randomized folder names created inside this directory as wel

PoC

PoC works against the against visual studio enterprise with update 3 installer

Reproduction steps

As a standard user, run the poc. Mount the iso and run visual studio installer as local system account. The PoC should hijack the the binaries dropped by vs installer and a child process "notepad.exe" will be running.

Impact

This is an Elevation of Privilege Vulnerability where a low privileged user can hijack binaries in an unprotected path C:\Windows\Temp to elevate to the SYSTEM user privileges.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-wq88-fq4x-h2pm

GHSA-wq88-fq4x-h2pm:

7.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-wq88-fq4x-h2pm

EPSS Score

CWE

Published

3/25/2024

Updated

3/25/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
PanelSW.Custom.WiX	nuget	<= 3.15.0-a45	3.15.0-a46

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from Burn's use of C:\Windows\Temp without proper access controls when running elevated. CalculateWorkingFolder is directly responsible for selecting the working directory using GetTempPathW in SYSTEM context, while ExtractToTempDirectory handles file extraction to temporary locations. Both functions in their pre-patch form failed to implement necessary security measures (ACLs for SYSTEM-created directories and secure path generation), enabling the hijack chain. The commit diff shows these were the primary targets of the security fixes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.3

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-wq88-fq4x-h2pm: WiX Burn-based bundles are vulnerable to binary hijack when run as SYSTEM

Summary

Details

PoC

Reproduction steps

Impact

GHSA-wq88-fq4x-h2pm:

7.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

7.3

7.3

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-wq88-fq4x-h2pm: WiX Burn-based bundles are vulnerable to binary hijack when run as SYSTEM

Summary

Details

PoC

Reproduction steps

Impact

Basic Information

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI