Summary

A potential elevated privilege issue has been reported with InstallShield built Standalone MSI setups having multiple InstallScript custom actions configured.

Note: All supported versions (InstallShield 2023 R2, InstallShield 2022 R2 and InstallShield 2021 R2) are affected by this issue.

This article provides details about this potential vulnerability and the remediation steps available.

Description

InstallShield MSI setup requires the ISBEW64.exe utility, launched as _isxxxx.exe where xxxx is an arbitrary hex number, to handle 64-bit redirections. For every InstallScript custom action in a standalone MSI setup, a new _isxxxx.exe with random hex number is extracted to a secured random temporary directory which will be cleared once the execution is completed. During the execution, the new _isxxxx.exe process may refer to the already deleted temporary directory due to incorrect DLL search order.

Since this previously deleted temporary folder path is below C:\Windows\Temp, a non-admin user can track the folder paths, recreate the directory with the same random name and place a malicious system DLL file. The new _isxxxx.exe process then loads the tampered DLL placed in older directory which would lead to a local privilege escalation.

Workaround

There is no workaround available for this issue.

Fix Version and Resolution

The issue is addressed in InstallShield 2024 R1 which is available for download in the Product and License Center. The fix enables safe DLL search mode in EXEs, where applicable.

Additional Information

Thank you to Sandro Poppi for disclosing this issue to Revenera PSIRT.