DavidPainter
Level 3

Basic MSI creating a service path without quotes

Hi

Some recent PEN testing has shown a vulnerability with some of our product installs, namely services whose paths are not surrounded by quotes (see https://www.commonexploits.com/unquoted-service-paths/).

We're using InstallShield 2014, Basic MSI to generate our installers. Services are defined using Installshield's built-in 'Services' functionality under Components -> ComponentName -> Advanced Settings -> Services

I can't see where the path is set, but assume it is taken from the component's key file..?

Since our files are being installed under C:\Program Files (x86)\, there are spaces in the paths, but the path is not surrounded by quotes, so the vulnerability detailed in the above link is there.

I understand I can work around this using a custom action to 'add' quotes to the image path in the registry after the service has been created, but just wanted to check:
Is this a known issue with InstallShield (2014), or with MSI?
Am I missing something in the InstallShield UI that would result in quotes being added?

Thanks

Labels (1)
0 Kudos
2 Replies
Cary_R
Level 11

Windows Installer itself registers the file path via the keypath of a component name provided in the ServiceInstall table:

https://msdn.microsoft.com/en-us/library/windows/desktop/aa371637(v=vs.85).aspx

So, there's not much you can do here to just add quotes.using the native InstallShield functionality.

If I had to take a wild guess on how to trick Windows Installer to add quotes, it'd be to install the service executable to a path which contains a space in a folder name.

Failing that, as you mention, a custom action. Don't go down the .Net Installer class route though, if you can avoid it.
0 Kudos
DavidPainter
Level 3

Thanks Cary
It turns out this is not always the case - on some machines the quotes are there, on others they are not.
I think it may be to do with the underlying version of the MSI engine being used..? I'll investigate some more.

But in any case, to be sure we're covered on all installs, I will add a deferred custom action to run after InstallServices to check the ImagePath value in the registry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\), and add quotes if required.
0 Kudos