Installer allows a tampered script

[sasha]

Hello!

We use custom actions in our installer that are calling into an external temporarily installed PowerShell script file.
The file is digitally signed.
When I tamper with the file that the installer writes out into a temp folder and try to execute it, I get an error that the file is tampered with. The Execution policy is AllSigned. The installer at this moment is in the early stages of the dialogs.

When I let the installer to proceed, it does so without any issues, invoking functions in the tampered PS script file.

This is a major problem for us and I would be thankful for a possible solution.

We are using AI 21.7.1

Thanks!

[Catalin]

Hello Sasha,

Please note that this behavior is normal.

If you manually modify the PowerShell script when it is on the disk, the hash of that file is changed and no longer recognized.

Why would you need to manually modify the PowerShell script during the installation process? I can't think of any scenario where this would be a solution.

Best regards,
Catalin

[sasha]

Thanks for the reply, Catalin.

Indeed, a tampered with file should not be run and it isn't - when invoked by the PowerShell directly.
But it does run when it is executed by the Advanced Installer-produced installer.

This is a security issue. A normal user (hopefully) would not modify a script file. But a malicious one could. And AI will let it happen, it seems.

So, I'm in a search of a solution.

Thanks!

[Catalin]

Hey Sasha,

Thank you for the followup on this - I understood exactly the opposite of what you were saying.

If possible, could you please create a sample project that reproduces this issue and forward that to me, together with a test case, so I can run some tests on my end and further investigate this behavior?

Best regards,
Catalin

[sasha]

Will try, Catalin.

The basic steps are very simple. Have a PS script attached to the installer, set it to run from the temp folder, mark it to be signed.
Have a custom action to execute external PS script.
When the dialogs come up, before clicking the 'install', go to the temp folder and tamper with the .ps1 script file (like change a variable name).
Proceed with the install. It will continue and will execute the CA with the tampered with .ps1 file.

[Catalin]

Hello Sasha,

Thank you for your followup on this, the scenario is clear for me now.

I will give this a go soon and will update this thread with what I'll find.

Best regards,
Catalin

[Catalin]

Hello Sasha,

A quick followup on this as I'm note quite able to reproduce the issue on my end, due to the fact that I'm not able to locate the script.

Here's how I configured the custom action:

Screenshot_49.png (16.1 KiB) Viewed 990 times

In your case, you mentioned that the script is in %temp% folder before pressing the "Install" button, but this does not seem to be the case for me.

That being said, are you sure you did not miss a step perhaps in the test case?

Best regards,
Catalin

[Catalin]

Hello Sasha,

Please disregard my last reply.

I have now managed to reproduce the issue on my end.

I have also created a high priority request so that this is getting taken care of.

Thank you for bringing this to our attention!

I will update this thread as soon as I'll have more information from the dev team.

Best regards,
Catalin

[sasha]

Dear Catalin,

glad you were able to reproduce the issue and waiting for a fix, which I'm sure you will be able to produce!

Regards,
Sasha

[Catalin]

Hello Sasha,

Yes, we will do our best to find a fix for this.

Once a fix will be available, I will update this thread.

Best regards,
Catalin

[sasha]

Hello Catalin!

I wonder if there is an update for this issue?

Thanks!

[Catalin]

Hello,

For now, I do not have an update on this.

As I said previously, I will update this thread as soon as I have an update on this.

Best regards,
Catalin

[sasha]

Sounds good, thanks.

[Catalin]

You are always welcome, Sasha!

Best regards,
Catalin