BeeWare Briefcase Windows MSI Installer Privilege Escalation Vulnerability

A local privilege escalation vulnerability has been identified in BeeWare Briefcase versions 0.3.0 prior to 0.3.26. When Briefcase is used to create a Windows MSI installer for a project that is then installed for all users (per-machine scope), the installation directory inherits permissions from the parent directory. This can allow a low-privileged but authenticated user to modify or replace the application's binaries. If an administrator subsequently executes the altered binary, it will run with elevated privileges. The vulnerability arises from the WiX template used to generate the installer, which does not set explicit permissions for the installation directory.

Impact

Exploitation of this vulnerability could lead to unauthorized modification of application binaries, allowing for privilege escalation when the altered application is executed by an administrator.

Reproduction

To reproduce this vulnerability, create an MSI installer using Briefcase with the per-machine install scope. Install the MSI to a location outside of the Program Files directory. After installation, check the inherited permissions of the installation directory using PowerShell. The permissions will reveal that the directory has inherited permissions from its parent, potentially allowing authenticated users to modify application files.

Remediation

Users can update Briefcase to version 0.3.26, 0.4.0, or 0.4.1, where the vulnerability has been fixed. For those using Briefcase versions 0.3.24 or later, the patch can be manually applied to the .wxs file generated by Briefcase.