> From: Gerry Reno <gr...@verizon.net> > To: wix-users@lists.sourceforge.net > Cc: > Sent: Friday, December 20, 2013 10:42 AM > Subject: Re: [WiX-users] ExeCommand will not accept any path with spaces > > On 12/20/2013 01:20 PM, David Connet wrote: >>> From: Gerry Reno <gr...@verizon.net> >>> To: wix-users@lists.sourceforge.net >>> Cc: >>> Sent: Friday, December 20, 2013 10:03 AM >>> Subject: Re: [WiX-users] ExeCommand will not accept any path with > spaces >>> >>> On 12/20/2013 12:49 PM, Edwin Castro wrote: >>>> On 12/20/13, 9:46 AM, Gerry Reno wrote: >>>>> On 12/20/2013 10:44 AM, David Connet wrote: >>>>>>> From: Gerry Reno [mailto:gr...@verizon.net] >>>>>>> > >>>>>>>>> <Binary Id='CMDEXE' > SourceFile='C:\WINDOWS\System32\cmd.exe' /> >>>>>>> I don't think that's legal. cmd.exe is not a > redistributable file. You >>>>>>> can't include it in your installer. >>>>> cmd.exe is not being distributed. Binary is how you call > system files. >>>>> >>>>> >>>> NO. Binary is how you embed files in your MSI for your MSI to use > during >>>> install. You ARE distributing cmd.exe in your MSI which is very > likely >>>> not allowed. >>> Thanks. I will check this and if it is in the installer package > I'll change >>> it to something like this: >>> >>> <*Property* Id='CMDEXE'>cmd.exe</*Property*> >>> <*CustomAction* Id='LaunchFile' Property='CMDEXE' >>> ExeCommand='all my arguments' Return='asyncNoWait' > /> >> Hmm... nasty attack vector there... >> - My PATH: c:\bin;... >> - create c:\bin\cmd.exe, do whatever I want > What? You always shoot your own system? :-) > > Any virus that did that would be caught by the anti-virus.
No, the point is you've now created a vector that a malicious program could infect a system. Let's assume a naive person was convinced to download a nasty cmd.exe that was inserted into the system where it is found before the real one. And the user is not an admin. And the installer is run by right-click/runasAdmin. Now the nasty program has full admin rights. Dave ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
