Community Forums
Results 1 to 3 of 3

Thread: Basic MSI creating a service path without quotes

  1. #1
    Join Date
    Apr 2016
    Posts
    6

    Basic MSI creating a service path without quotes

    Hi

    Some recent PEN testing has shown a vulnerability with some of our product installs, namely services whose paths are not surrounded by quotes (see https://www.commonexploits.com/unquoted-service-paths/).

    We're using InstallShield 2014, Basic MSI to generate our installers. Services are defined using Installshield's built-in 'Services' functionality under Components -> ComponentName -> Advanced Settings -> Services

    I can't see where the path is set, but assume it is taken from the component's key file..?

    Since our files are being installed under C:\Program Files (x86)\, there are spaces in the paths, but the path is not surrounded by quotes, so the vulnerability detailed in the above link is there.

    I understand I can work around this using a custom action to 'add' quotes to the image path in the registry after the service has been created, but just wanted to check:
    Is this a known issue with InstallShield (2014), or with MSI?
    Am I missing something in the InstallShield UI that would result in quotes being added?

    Thanks

  2. #2
    Join Date
    Aug 2005
    Posts
    539
    Windows Installer itself registers the file path via the keypath of a component name provided in the ServiceInstall table:

    https://msdn.microsoft.com/en-us/lib...(v=vs.85).aspx

    So, there's not much you can do here to just add quotes.using the native InstallShield functionality.

    If I had to take a wild guess on how to trick Windows Installer to add quotes, it'd be to install the service executable to a path which contains a space in a folder name.

    Failing that, as you mention, a custom action. Don't go down the .Net Installer class route though, if you can avoid it.
    Cary R.
    Configuration Engineer

  3. #3
    Join Date
    Apr 2016
    Posts
    6
    Thanks Cary
    It turns out this is not always the case - on some machines the quotes are there, on others they are not.
    I think it may be to do with the underlying version of the MSI engine being used..? I'll investigate some more.

    But in any case, to be sure we're covered on all installs, I will add a deferred custom action to run after InstallServices to check the ImagePath value in the registry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<serviceName>), and add quotes if required.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •