Protect Yourself from DLL Redirection Attacks When Using WiX Toolset Installers

CVSScvssV3_1: 8.3

WiX toolset is an open source tool used by developers to create installers for the Windows Installer system. It was found to be vulnerable to a technique called DLL redirection attacks that could allow privilege escalation on systems where a vulnerable installer was used.

In a DLL redirection attack, a malicious actor replaces a trusted system DLL file with one they control during the installation process. This happens because installers often need to unpack DLLs into the TEMP folder before copying them to their final locations. By replacing a DLL in the TEMP folder, an attacker can make the installer inadvertently install a trojan version of that file instead.

If the replaced DLL is one that loads at a higher privilege level than the installer runs at, this allows the attacker’s code to also run at that higher privilege level after installation. From there, they may be able to install malware or take other unauthorized actions on the compromised system.

The specific issue was that WiX toolset did not properly clean up the .be TEMP folder after installation, leaving the possibility for an attacker to hijack the DLL replacement process. This has now been fixed in version 4.0.4 of the toolset.

If you use any software installed via a WiX package, be sure to update to the latest version. Also keep your system up-to-date with the latest patches, as other privilege escalation issues may be fixed over time. Taking basic precautions like these can help protect you from DLL redirection and similar attacks in the future.