tkeyser
Pilgrim

MSI repair option executes without requiring admin privileges

There appears to be an issue in the installshield code. After an installation occurs and the user runs a repair on the installation, the repair option allows any user to execute the action without admin privileges. ISBEW64.exe appears to be the culprit, which from my understanding is packaged with installshield and we do not have access to it? When the repair action is invoked, the exe is copied to the windows temp directory and can be manipulated by anyone with system level access. The modify and remove actions in the maintenance options don't appear to have this issue as they require admin rights to continue. 

We cannot simply just remove the repair option as there are three ways to invoke it:

  • MSI dialog box by either clicking on the msi again or under programs and features
  • Right clicking the msi and clicking on repair
  • Running msiexec /f to force a repair to run

The second and third ways are based on computer configuration so we don't have control over that.

There was a Microsoft patch back in January that potentially addressed the issue but after installing the patch, the problem still persists.

References:

https://improsec.com/tech-blog/the-many-pitfalls-of-windows-msi-privilege-escalation-in-windows-7811...

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1661

Please advise on how to resolve this from our end. If we are simply missing something in the configuration that will require the repair step to need admin rights, or if this is a bug on the installshield end that would require a patch fix from your end.

We are using installshield 2016 for editing the ISM file and 2019 to build it.

Labels (1)
0 Kudos