Protect elevated working folder from malicious data

When running elevated, Burn uses the Windows Temp folder as its working folder to prevent normal processes from tampering with the files. Windows Temp does allow non-elevated processes to write to the folder but they cannot see the files there. Unfortunately, contrary to our belief, non-elevated processes can read the files in Windows Temp by watching for directory changes. This allows a malicious process to lie in wait, watching the Windows Temp folder until a Burn process is launched elevated, then attack the working folder. Mitigate that attack by protecting the working folder to only elevated users. Managed custom actions also fall back to using the Windows Temp folder in some cases and thus can be exposed in a similar fashion as an elevated Burn process. Remove that possibility.
wixtoolset · Mar 22, 2024 · 6d372e5 · 6d372e5
1 parent 93eeb5f
commit 6d372e5
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 36 deletions.
diff --git a/src/DTF/Tools/SfxCA/SfxUtil.cpp b/src/DTF/Tools/SfxCA/SfxUtil.cpp
@@ -164,38 +164,18 @@ bool ExtractToTempDirectory(__in MSIHANDLE hSession, __in HMODULE hModule,
  StringCchCopy(szTempDir, cchTempDirBuf, szModule);
  StringCchCat(szTempDir, cchTempDirBuf, L"-");
 
+ BOOL fCreatedDirectory = FALSE;
  DWORD cchTempDir = (DWORD) wcslen(szTempDir);
- for (int i = 0; DirectoryExists(szTempDir); i++)
+ for (int i = 0; i < 10000 && !fCreatedDirectory; i++)
  {
  swprintf_s(szTempDir + cchTempDir, cchTempDirBuf - cchTempDir, L"%d", i);
+ fCreatedDirectory = ::CreateDirectory(szTempDir, NULL);
  }
 
- if (!CreateDirectory(szTempDir, NULL))
+ if (!fCreatedDirectory)
  {
- cchCopied = GetTempPath(cchTempDirBuf, szTempDir);
- if (cchCopied == 0 || cchCopied >= cchTempDirBuf)
- {
- Log(hSession, L"Failed to get temp directory. Error code %d", GetLastError());
- return false;
- }
-
- wchar_t* szModuleName = wcsrchr(szModule, L'\\');
- if (szModuleName == NULL) szModuleName = szModule;
- else szModuleName = szModuleName + 1;
- StringCchCat(szTempDir, cchTempDirBuf, szModuleName);
- StringCchCat(szTempDir, cchTempDirBuf, L"-");
-
- cchTempDir = (DWORD) wcslen(szTempDir);
- for (int i = 0; DirectoryExists(szTempDir); i++)
- {
- swprintf_s(szTempDir + cchTempDir, cchTempDirBuf - cchTempDir, L"%d", i);
- }
-
- if (!CreateDirectory(szTempDir, NULL))
- {
- Log(hSession, L"Failed to create temp directory. Error code %d", GetLastError());
- return false;
- }
+ Log(hSession, L"Failed to create temp directory. Error code %d", ::GetLastError());
+ return false;
  }
 
  Log(hSession, L"Extracting custom action to temporary directory: %s\\", szTempDir);

diff --git a/src/burn/engine/cache.cpp b/src/burn/engine/cache.cpp
@@ -13,13 +13,15 @@ static BOOL vfInitializedCache = FALSE;
 static BOOL vfRunningFromCache = FALSE;
 static LPWSTR vsczSourceProcessPath = NULL;
 static LPWSTR vsczWorkingFolder = NULL;
+static BOOL vfWorkingFolderElevated = FALSE;
 static LPWSTR vsczDefaultUserPackageCache = NULL;
 static LPWSTR vsczDefaultMachinePackageCache = NULL;
 static LPWSTR vsczCurrentMachinePackageCache = NULL;
 
 static HRESULT CalculateWorkingFolder(
  __in_z LPCWSTR wzBundleId,
- __deref_out_z LPWSTR* psczWorkingFolder
+ __deref_out_z LPWSTR* psczWorkingFolder,
+ __out_opt BOOL* pfWorkingFolderElevated
  );
 static HRESULT GetLastUsedSourceFolder(
  __in BURN_VARIABLES* pVariables,
@@ -195,11 +197,29 @@ extern "C" HRESULT CacheEnsureWorkingFolder(
 {
  HRESULT hr = S_OK;
  LPWSTR sczWorkingFolder = NULL;
+ BOOL fElevatedWorkingFolder = FALSE;
+ PSECURITY_DESCRIPTOR psd = NULL;
+ LPSECURITY_ATTRIBUTES pWorkingFolderAcl = NULL;
 
- hr = CalculateWorkingFolder(wzBundleId, &sczWorkingFolder);
+ hr = CalculateWorkingFolder(wzBundleId, &sczWorkingFolder, &fElevatedWorkingFolder);
  ExitOnFailure(hr, "Failed to calculate working folder to ensure it exists.");
 
- hr = DirEnsureExists(sczWorkingFolder, NULL);
+ // If elevated, allocate the pWorkingFolderAcl to protect the working folder to only Admins and SYSTEM.
+ if (fElevatedWorkingFolder)
+ {
+ LPCWSTR wzSddl = L"D:PAI(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)";
+ if (!::ConvertStringSecurityDescriptorToSecurityDescriptorW(wzSddl, SDDL_REVISION_1, &psd, NULL))
+ {
+ ExitWithLastError(hr, "Failed to create the security descriptor for the working folder.");
+ }
+
+ pWorkingFolderAcl = reinterpret_cast<LPSECURITY_ATTRIBUTES>(MemAlloc(sizeof(SECURITY_ATTRIBUTES), TRUE));
+ pWorkingFolderAcl->nLength = sizeof(SECURITY_ATTRIBUTES);
+ pWorkingFolderAcl->lpSecurityDescriptor = psd;
+ pWorkingFolderAcl->bInheritHandle = FALSE;
+ }
+
+ hr = DirEnsureExists(sczWorkingFolder, pWorkingFolderAcl);
  ExitOnFailure(hr, "Failed create working folder.");
 
  // Best effort to ensure our working folder is not encrypted.
@@ -212,6 +232,11 @@ extern "C" HRESULT CacheEnsureWorkingFolder(
  }
 
 LExit:
+ ReleaseMem(pWorkingFolderAcl);
+ if (psd)
+ {
+ ::LocalFree(psd);
+ }
  ReleaseStr(sczWorkingFolder);
 
  return hr;
@@ -237,7 +262,7 @@ extern "C" HRESULT CacheCalculateBundleWorkingPath(
  }
  else // Otherwise, use the real working folder.
  {
- hr = CalculateWorkingFolder(wzBundleId, &sczWorkingFolder);
+ hr = CalculateWorkingFolder(wzBundleId, &sczWorkingFolder, NULL);
  ExitOnFailure(hr, "Failed to get working folder for bundle.");
 
  hr = StrAllocFormatted(psczWorkingPath, L"%ls%ls\\%ls", sczWorkingFolder, BUNDLE_WORKING_FOLDER_NAME, wzExecutableName);
@@ -258,7 +283,7 @@ extern "C" HRESULT CacheCalculateBundleLayoutWorkingPath(
  HRESULT hr = S_OK;
  LPWSTR sczWorkingFolder = NULL;
 
- hr = CalculateWorkingFolder(wzBundleId, psczWorkingPath);
+ hr = CalculateWorkingFolder(wzBundleId, psczWorkingPath, NULL);
  ExitOnFailure(hr, "Failed to get working folder for bundle layout.");
 
  hr = StrAllocConcat(psczWorkingPath, wzBundleId, 0);
@@ -278,7 +303,7 @@ extern "C" HRESULT CacheCalculatePayloadWorkingPath(
 {
  HRESULT hr = S_OK;
 
- hr = CalculateWorkingFolder(wzBundleId, psczWorkingPath);
+ hr = CalculateWorkingFolder(wzBundleId, psczWorkingPath, NULL);
  ExitOnFailure(hr, "Failed to get working folder for payload.");
 
  hr = StrAllocConcat(psczWorkingPath, pPayload->sczKey, 0);
@@ -296,7 +321,7 @@ extern "C" HRESULT CacheCalculateContainerWorkingPath(
 {
  HRESULT hr = S_OK;
 
- hr = CalculateWorkingFolder(wzBundleId, psczWorkingPath);
+ hr = CalculateWorkingFolder(wzBundleId, psczWorkingPath, NULL);
  ExitOnFailure(hr, "Failed to get working folder for container.");
 
  hr = StrAllocConcat(psczWorkingPath, pContainer->sczHash, 0);
@@ -921,7 +946,7 @@ extern "C" HRESULT CacheRemoveWorkingFolder(
 
  if (vfInitializedCache)
  {
- hr = CalculateWorkingFolder(wzBundleId, &sczWorkingFolder);
+ hr = CalculateWorkingFolder(wzBundleId, &sczWorkingFolder, NULL);
  ExitOnFailure(hr, "Failed to calculate the working folder to remove it.");
 
  // Try to clean out everything in the working folder.
@@ -1035,7 +1060,7 @@ extern "C" void CacheCleanup(
 
  if (!fPerMachine)
  {
- hr = CalculateWorkingFolder(wzBundleId, &sczFolder);
+ hr = CalculateWorkingFolder(wzBundleId, &sczFolder, NULL);
  if (SUCCEEDED(hr))
  {
  hr = PathConcat(sczFolder, L"*.*", &sczFiles);
@@ -1099,7 +1124,8 @@ extern "C" void CacheUninitialize()
 
 static HRESULT CalculateWorkingFolder(
  __in_z LPCWSTR /*wzBundleId*/,
- __deref_out_z LPWSTR* psczWorkingFolder
+ __deref_out_z LPWSTR* psczWorkingFolder,
+ __out_opt BOOL* pfWorkingFolderElevated
  )
 {
  HRESULT hr = S_OK;
@@ -1143,11 +1169,18 @@ static HRESULT CalculateWorkingFolder(
 
  hr = StrAllocFormatted(&vsczWorkingFolder, L"%ls%ls\\", wzTempPath, wzGuid);
  ExitOnFailure(hr, "Failed to append bundle id on to temp path for working folder.");
+
+ vfWorkingFolderElevated = fElevated;
  }
 
  hr = StrAllocString(psczWorkingFolder, vsczWorkingFolder, 0);
  ExitOnFailure(hr, "Failed to copy working folder path.");
 
+ if (pfWorkingFolderElevated)
+ {
+ *pfWorkingFolderElevated = vfWorkingFolderElevated;
+ }
+
 LExit:
  return hr;
 }