CVE-2024-29187
📋 TL;DR
This vulnerability in WiX toolset allows standard users to hijack binaries dropped in C:\Windows\Temp when bundles run as SYSTEM, leading to privilege escalation. It affects WiX toolset versions before 3.14.1 and 4.0.5. Developers creating Windows installers and systems running WiX-based installers with elevated privileges are impacted.
💻 Affected Systems
- WiX Toolset
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Standard user gains SYSTEM privileges on the affected machine, enabling complete system compromise, data theft, and persistent backdoor installation.
Likely Case
Local authenticated user escalates privileges to SYSTEM, gaining administrative control over the system and ability to install malicious software.
If Mitigated
With proper access controls on C:\Windows\Temp and limited use of SYSTEM privileges, impact is reduced to failed privilege escalation attempts.
🎯 Exploit Status
Requires local authenticated access and knowledge of when SYSTEM processes use temporary files.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.14.1 and 4.0.5
Vendor Advisory: https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r
Restart Required: No
Instructions:
1. Update WiX toolset to version 3.14.1 or 4.0.5. 2. Rebuild any affected installers using the updated toolset. 3. Deploy updated installers to affected systems.
🔧 Temporary Workarounds
Restrict C:\Windows\Temp permissions
windowsSet strict ACLs on C:\Windows\Temp to prevent standard users from writing or modifying files
icacls C:\Windows\Temp /inheritance:r
icacls C:\Windows\Temp /grant SYSTEM:(OI)(CI)F
icacls C:\Windows\Temp /grant Administrators:(OI)(CI)F
Avoid SYSTEM privilege for WiX bundles
windowsConfigure WiX bundles to run with minimal necessary privileges instead of SYSTEM
🧯 If You Can't Patch
- Implement strict access controls on C:\Windows\Temp directory
- Monitor for unauthorized file creation/modification in system temp directories
🔍 How to Verify
Check if Vulnerable:
Check WiX toolset version: wix --version or examine installer properties for WiX version usedCheck Version:
wix --versionVerify Fix Applied:
Confirm WiX toolset version is 3.14.1 or higher for v3, or 4.0.5 or higher for v4📡 Detection & Monitoring
Log Indicators:
- File creation events in C:\Windows\Temp by SYSTEM processes
- Privilege escalation attempts from standard to SYSTEM users
Network Indicators:
- No specific network indicators - local exploitation only
SIEM Query:
EventID=4663 AND ObjectName LIKE '%C:\\Windows\\Temp%' AND SubjectUserName='SYSTEM'🔗 References
- https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r
- https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7
- https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9
- https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r
- https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7
- https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9
