CVE-2023-29080 Overview
CVE-2023-29080 is a privilege escalation vulnerability affecting Revenera InstallShield versions 2022 R2 and 2021 R2. The vulnerability arises when adding an InstallScript custom action to a Basic MSI or InstallScript MSI project, which extracts binaries to a predefined writable folder during installation time. Because standard user accounts have write access to these files and folders, an attacker can replace them during installation to achieve DLL hijacking, potentially leading to privilege escalation.
Critical Impact
Local attackers with standard user privileges can exploit this vulnerability to escalate privileges by hijacking DLL files during software installation, potentially gaining elevated system access.
Affected Products
- Revenera InstallShield 2022 R2
- Revenera InstallShield 2021 R2
- Software packages built using affected InstallShield versions
Discovery Timeline
- 2025-01-30 - CVE CVE-2023-29080 published to NVD
- 2025-01-30 - Last updated in NVD database
Technical Details for CVE-2023-29080
Vulnerability Analysis
This vulnerability is classified under CWE-552 (Files or Directories Accessible to External Parties). The core issue stems from improper file permission handling during InstallShield-based software installations.
When an InstallScript custom action is added to a Basic MSI or InstallScript MSI project, the installation process extracts certain binary files to a predefined folder. The critical flaw is that this folder is writable by standard (non-privileged) user accounts on the system. This creates a race condition scenario where an attacker can monitor for installation activity and replace legitimate binaries with malicious ones before they are executed with elevated privileges.
The DLL hijacking attack leverages the Windows DLL search order mechanism. When the installer or the installed application loads a DLL, it searches predefined directories in a specific order. By placing a malicious DLL in the writable folder before the legitimate DLL is loaded, an attacker can intercept the DLL loading process and execute arbitrary code with the privileges of the installation process—typically SYSTEM or Administrator level.
Root Cause
The root cause of this vulnerability is the insecure file system permissions applied to the temporary extraction folder used during InstallShield installations. The installer extracts binary files to a location where standard users have write permissions, violating the principle of least privilege. Combined with the elevated privileges typically required for software installation, this creates a privilege escalation vector through DLL hijacking.
Attack Vector
The attack requires local access to the target system with standard user privileges. An attacker would need to:
- Identify when an InstallShield-based installation is occurring on the system
- Locate the predefined writable folder where binaries are extracted
- Replace legitimate DLL files with malicious versions before they are loaded
- Wait for the installation process to load the hijacked DLL with elevated privileges
The vulnerability exploits the Time-of-Check Time-of-Use (TOCTOU) window between file extraction and file loading, combined with the overly permissive file system ACLs on the extraction directory.
Detection Methods for CVE-2023-29080
Indicators of Compromise
- Unexpected DLL files appearing in InstallShield temporary extraction directories
- File modification timestamps that predate the installation start time on extracted binaries
- Hash mismatches between extracted DLLs and known-good installer components
- Unusual process trees showing msiexec.exe or InstallShield processes loading DLLs from unexpected locations
Detection Strategies
- Monitor file system activity in common InstallShield extraction paths (e.g., %TEMP%, %APPDATA%, and custom extraction directories) for rapid file replacement patterns
- Implement application whitelisting to prevent unauthorized DLLs from being loaded by installer processes
- Deploy endpoint detection rules that alert on DLL loads from writable user directories by elevated processes
- Use SentinelOne's behavioral AI to detect anomalous DLL loading patterns during software installation workflows
Monitoring Recommendations
- Enable detailed file system auditing on known InstallShield extraction directories
- Configure alerts for privilege escalation attempts correlating with software installation events
- Implement integrity monitoring on systems where InstallShield-based installations are expected
- Review installation logs for evidence of DLL loading failures or unexpected library paths
How to Mitigate CVE-2023-29080
Immediate Actions Required
- Apply the security patch provided by Revenera for InstallShield 2022 R2 and 2021 R2
- Review and audit existing InstallShield projects that use InstallScript custom actions
- Implement application control policies to restrict DLL loading during installation processes
- Consider temporarily suspending deployments of affected installer packages until patched versions are available
Patch Information
Revenera has released a security patch addressing this vulnerability. The patch modifies the file extraction behavior to use secure directories with appropriate access controls during installation. Administrators should obtain the patch from the Revenera Security Patch Advisory and apply it to all InstallShield development environments. After patching, all affected installer projects should be rebuilt to incorporate the security fixes.
Workarounds
- Manually modify extraction directory permissions to restrict standard user write access during installation
- Implement Windows Defender Application Control (WDAC) policies to enforce DLL code signing requirements
- Use process monitoring tools to detect and block unauthorized DLL replacements during installation
- Consider running installations in isolated environments where standard users cannot access the extraction directories
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
