From 75a8c75d4e02ea219008dc5af7d03869291d61f7 Mon Sep 17 00:00:00 2001
From: Rob Mensching <rob@firegiant.com>
Date: Wed, 20 Mar 2024 23:51:53 -0700
Subject: Protect elevated working folder from malicious data

When running elevated, Burn uses the Windows Temp folder as its working folder
to prevent normal processes from tampering with the files. Windows Temp does
allow non-elevated processes to write to the folder but they cannot see the
files there. Unfortunately, contrary to our belief, non-elevated processes
can read the files in Windows Temp by watching for directory changes. This
allows a malicious process to lie in wait, watching the Windows Temp folder
until a Burn process is launched elevated, then attack the working folder.
Mitigate that attack by protecting the working folder to only elevated users.

Managed custom actions also fall back to using the Windows Temp folder in
some cases and thus can be exposed in a similar fashion as an elevated Burn
process. Remove that possibility.
---
 src/dtf/SfxCA/SfxUtil.cpp | 32 ++++++--------------------------
 1 file changed, 6 insertions(+), 26 deletions(-)

(limited to 'src/dtf/SfxCA')

diff --git a/src/dtf/SfxCA/SfxUtil.cpp b/src/dtf/SfxCA/SfxUtil.cpp
index 2e6b0555..32dc6e04 100644
--- a/src/dtf/SfxCA/SfxUtil.cpp
+++ b/src/dtf/SfxCA/SfxUtil.cpp
@@ -164,38 +164,18 @@ bool ExtractToTempDirectory(__in MSIHANDLE hSession, __in HMODULE hModule,
         StringCchCopy(szTempDir, cchTempDirBuf, szModule);
         StringCchCat(szTempDir, cchTempDirBuf, L"-");
 
+        BOOL fCreatedDirectory = FALSE;
         DWORD cchTempDir = (DWORD) wcslen(szTempDir);
-        for (int i = 0; DirectoryExists(szTempDir); i++)
+        for (int i = 0; i < 10000 && !fCreatedDirectory; i++)
         {
                 swprintf_s(szTempDir + cchTempDir, cchTempDirBuf - cchTempDir, L"%d", i);
+                fCreatedDirectory = ::CreateDirectory(szTempDir, NULL);
         }
 
-        if (!CreateDirectory(szTempDir, NULL))
+        if (!fCreatedDirectory)
         {
-                cchCopied = GetTempPath(cchTempDirBuf, szTempDir);
-                if (cchCopied == 0 || cchCopied >= cchTempDirBuf)
-                {
-                        Log(hSession, L"Failed to get temp directory. Error code %d", GetLastError());
-                        return false;
-                }
-
-                wchar_t* szModuleName = wcsrchr(szModule, L'\\');
-                if (szModuleName == NULL) szModuleName = szModule;
-                else szModuleName = szModuleName + 1;
-                StringCchCat(szTempDir, cchTempDirBuf, szModuleName);
-                StringCchCat(szTempDir, cchTempDirBuf, L"-");
-
-                cchTempDir = (DWORD) wcslen(szTempDir);
-                for (int i = 0; DirectoryExists(szTempDir); i++)
-                {
-                        swprintf_s(szTempDir + cchTempDir, cchTempDirBuf - cchTempDir, L"%d", i);
-                }
-
-                if (!CreateDirectory(szTempDir, NULL))
-                {
-                        Log(hSession, L"Failed to create temp directory. Error code %d", GetLastError());
-                        return false;
-                }
+                Log(hSession, L"Failed to create temp directory. Error code %d", ::GetLastError());
+                return false;
         }
 
         Log(hSession, L"Extracting custom action to temporary directory: %s\\", szTempDir);
-- 
cgit v1.2.3-55-g6feb