Protect elevated working folder from malicious data

When running elevated, Burn uses the Windows Temp folder as its working folder to prevent normal processes from tampering with the files. Windows Temp does allow non-elevated processes to write to the folder but they cannot see the files there. Unfortunately, contrary to our belief, non-elevated processes can read the files in Windows Temp by watching for directory changes. This allows a malicious process to lie in wait, watching the Windows Temp folder until a Burn process is launched elevated, then attack the working folder. Mitigate that attack by protecting the working folder to only elevated users. Managed custom actions also fall back to using the Windows Temp folder in some cases and thus can be exposed in a similar fashion as an elevated Burn process. Remove that possibility.
author: Rob Mensching <rob@firegiant.com> 2024-03-20 23:51:53 -0700
committer: Rob Mensching <rob@firegiant.com> 2024-03-22 11:57:27 -0700
commit: fed3d69eb4da7fa2bafdd8f555ce5869c36925f7 (patch)
tree: cb9bd56e7a36f118da7ad44107018b86a30fbdae /src/burn/engine/core.cpp
parent: e84b6768772c01e44dd55fb583cf78388ec7e48a (diff)
download: wix-fed3d69eb4da7fa2bafdd8f555ce5869c36925f7.tar.gz
wix-fed3d69eb4da7fa2bafdd8f555ce5869c36925f7.tar.bz2
wix-fed3d69eb4da7fa2bafdd8f555ce5869c36925f7.zip
1 files changed, 3 insertions, 3 deletions
diff --git a/src/burn/engine/core.cpp b/src/burn/engine/core.cpp
index ae74fdfd..a85e6f18 100644
--- a/src/burn/engine/core.cpp
+++ b/src/burn/engine/core.cpp
@@ -165,7 +165,7 @@ extern "C" HRESULT CoreInitialize(
    if (BURN_MODE_NORMAL == pEngineState->internalCommand.mode || BURN_MODE_EMBEDDED == pEngineState->internalCommand.mode)
    {
        // Extract all UX payloads to working folder.
-        hr = BootstrapperApplicationEnsureWorkingFolder(&pEngineState->cache, &pEngineState->userExperience.sczTempDirectory);
+        hr = BootstrapperApplicationEnsureWorkingFolder(pEngineState->internalCommand.fInitiallyElevated, &pEngineState->cache, &pEngineState->userExperience.sczTempDirectory);
        ExitOnFailure(hr, "Failed to get unique temporary folder for bootstrapper application.");
        hr = PayloadExtractUXContainer(&pEngineState->userExperience.payloads, &containerContext, pEngineState->userExperience.sczTempDirectory);
@@ -588,7 +588,7 @@ extern "C" HRESULT CoreElevate(
        // If the elevated companion pipe isn't created yet, let's make that happen.
        if (!pEngineState->sczBundleEngineWorkingPath)
        {
-            hr = CacheBundleToWorkingDirectory(&pEngineState->cache, pEngineState->registration.sczExecutableName, &pEngineState->section, &pEngineState->sczBundleEngineWorkingPath);
+            hr = CacheBundleToWorkingDirectory(pEngineState->internalCommand.fInitiallyElevated, &pEngineState->cache, pEngineState->registration.sczExecutableName, &pEngineState->section, &pEngineState->sczBundleEngineWorkingPath);
            ExitOnFailure(hr, "Failed to cache engine to working directory.");
        }
@@ -697,7 +697,7 @@ extern "C" HRESULT CoreApply(
    // Ensure the engine is cached to the working path.
    if (!pEngineState->sczBundleEngineWorkingPath)
    {
-        hr = CacheBundleToWorkingDirectory(&pEngineState->cache, pEngineState->registration.sczExecutableName, &pEngineState->section, &pEngineState->sczBundleEngineWorkingPath);
+        hr = CacheBundleToWorkingDirectory(pEngineState->internalCommand.fInitiallyElevated, &pEngineState->cache, pEngineState->registration.sczExecutableName, &pEngineState->section, &pEngineState->sczBundleEngineWorkingPath);
        ExitOnFailure(hr, "Failed to cache engine to working directory.");
    }
author	Rob Mensching <rob@firegiant.com>	2024-03-20 23:51:53 -0700
committer	Rob Mensching <rob@firegiant.com>	2024-03-22 11:57:27 -0700
commit	fed3d69eb4da7fa2bafdd8f555ce5869c36925f7 (patch)
tree	cb9bd56e7a36f118da7ad44107018b86a30fbdae /src/burn/engine/core.cpp
parent	e84b6768772c01e44dd55fb583cf78388ec7e48a (diff)
download	wix-fed3d69eb4da7fa2bafdd8f555ce5869c36925f7.tar.gz wix-fed3d69eb4da7fa2bafdd8f555ce5869c36925f7.tar.bz2 wix-fed3d69eb4da7fa2bafdd8f555ce5869c36925f7.zip

diff --git a/src/burn/engine/core.cpp b/src/burn/engine/core.cpp index ae74fdfd..a85e6f18 100644 --- a/src/burn/engine/core.cpp +++ b/src/burn/engine/core.cpp
@@ -165,7 +165,7 @@ extern "C" HRESULT CoreInitialize(
165	if (BURN_MODE_NORMAL == pEngineState->internalCommand.mode \|\| BURN_MODE_EMBEDDED == pEngineState->internalCommand.mode)	165	if (BURN_MODE_NORMAL == pEngineState->internalCommand.mode \|\| BURN_MODE_EMBEDDED == pEngineState->internalCommand.mode)
166	{	166	{
167	// Extract all UX payloads to working folder.	167	// Extract all UX payloads to working folder.
168	hr = BootstrapperApplicationEnsureWorkingFolder(&pEngineState->cache, &pEngineState->userExperience.sczTempDirectory);	168	hr = BootstrapperApplicationEnsureWorkingFolder(pEngineState->internalCommand.fInitiallyElevated, &pEngineState->cache, &pEngineState->userExperience.sczTempDirectory);
169	ExitOnFailure(hr, "Failed to get unique temporary folder for bootstrapper application.");	169	ExitOnFailure(hr, "Failed to get unique temporary folder for bootstrapper application.");
170		170
171	hr = PayloadExtractUXContainer(&pEngineState->userExperience.payloads, &containerContext, pEngineState->userExperience.sczTempDirectory);	171	hr = PayloadExtractUXContainer(&pEngineState->userExperience.payloads, &containerContext, pEngineState->userExperience.sczTempDirectory);
@@ -588,7 +588,7 @@ extern "C" HRESULT CoreElevate(
588	// If the elevated companion pipe isn't created yet, let's make that happen.	588	// If the elevated companion pipe isn't created yet, let's make that happen.
589	if (!pEngineState->sczBundleEngineWorkingPath)	589	if (!pEngineState->sczBundleEngineWorkingPath)
590	{	590	{
591	hr = CacheBundleToWorkingDirectory(&pEngineState->cache, pEngineState->registration.sczExecutableName, &pEngineState->section, &pEngineState->sczBundleEngineWorkingPath);	591	hr = CacheBundleToWorkingDirectory(pEngineState->internalCommand.fInitiallyElevated, &pEngineState->cache, pEngineState->registration.sczExecutableName, &pEngineState->section, &pEngineState->sczBundleEngineWorkingPath);
592	ExitOnFailure(hr, "Failed to cache engine to working directory.");	592	ExitOnFailure(hr, "Failed to cache engine to working directory.");
593	}	593	}
594		594
@@ -697,7 +697,7 @@ extern "C" HRESULT CoreApply(
697	// Ensure the engine is cached to the working path.	697	// Ensure the engine is cached to the working path.
698	if (!pEngineState->sczBundleEngineWorkingPath)	698	if (!pEngineState->sczBundleEngineWorkingPath)
699	{	699	{
700	hr = CacheBundleToWorkingDirectory(&pEngineState->cache, pEngineState->registration.sczExecutableName, &pEngineState->section, &pEngineState->sczBundleEngineWorkingPath);	700	hr = CacheBundleToWorkingDirectory(pEngineState->internalCommand.fInitiallyElevated, &pEngineState->cache, pEngineState->registration.sczExecutableName, &pEngineState->section, &pEngineState->sczBundleEngineWorkingPath);
701	ExitOnFailure(hr, "Failed to cache engine to working directory.");	701	ExitOnFailure(hr, "Failed to cache engine to working directory.");
702	}	702	}
703		703