mirror of
https://github.com/microsoft/PowerToys.git
synced 2026-04-01 18:57:46 +00:00
87b24afa23
<!-- Enter a brief description/summary of your PR here. What does it fix/what does it change/how was it tested (even manually, if necessary)? --> ## Summary of the Pull Request Attack vector: 1. user install per machine installer 2. Open an elevated command prompt and verify the newly added PowerToys PATH entry 3. Inspect the ACL on the DSCModules directory an observe that the "Authenticated Users" group have inherited Modify permissions 4. Log in as a low-privileged (non-admin) user and confirm that you can create or modify files in C:\\PowerToys\\DSCModules\. This confirms that a non-admin user can plant arbitrary DLLs in a system PATH directory. 5. The attacker identifies a DLL that a privileged process (e.g., a system service or an application running as a different, higher-privileged user) attempts to load via the standard DLL search order. The attacker crafts a malicious DLL with the same name and places it in C:\\PowerToys\\DSCModules. The fix is to: * Hardening the PowerToys DSC directory for per-machine custom installs with correct ACL enforced with wix. <!-- Please review the items on the PR checklist before submitting--> ## PR Checklist - [ ] Closes: #xxx <!-- - [ ] Closes: #yyy (add separate lines for additional resolved issues) --> - [ ] **Communication:** I've discussed this with core contributors already. If the work hasn't been agreed, this work might be rejected - [ ] **Tests:** Added/updated and all pass - [ ] **Localization:** All end-user-facing strings can be localized - [ ] **Dev docs:** Added/updated - [ ] **New binaries:** Added on the required places - [ ] [JSON for signing](https://github.com/microsoft/PowerToys/blob/main/.pipelines/ESRPSigning_core.json) for new binaries - [ ] [WXS for installer](https://github.com/microsoft/PowerToys/blob/main/installer/PowerToysSetup/Product.wxs) for new binaries and localization folder - [ ] [YML for CI pipeline](https://github.com/microsoft/PowerToys/blob/main/.pipelines/ci/templates/build-powertoys-steps.yml) for new test projects - [ ] [YML for signed pipeline](https://github.com/microsoft/PowerToys/blob/main/.pipelines/release.yml) - [ ] **Documentation updated:** If checked, please file a pull request on [our docs repo](https://github.com/MicrosoftDocs/windows-uwp/tree/docs/hub/powertoys) and link it here: #xxx <!-- Provide a more detailed description of the PR, other things fixed, or any additional comments/features here --> ## Detailed Description of the Pull Request / Additional comments <!-- Describe how you validated the behavior. Add automated tests wherever possible, but list manual validation steps taken as well --> ## Validation Steps Performed <img width="836" height="449" alt="image" src="https://github.com/user-attachments/assets/f21a814c-6514-4a86-b214-0984653aaab4" /> After upgrade, the ACL: Path : Microsoft.PowerShell.Core\FileSystem::C:\apps\Power Toys\DSCModules Owner : NT AUTHORITY\SYSTEM Group : NT AUTHORITY\SYSTEM Access : CREATOR OWNER Allow 268435456 NT AUTHORITY\SYSTEM Allow FullControl BUILTIN\Administrators Allow FullControl BUILTIN\Users Allow ReadAndExecute, Synchronize Audit : Sddl : O:SYG:SYD:P(A;OICIIO;GA;;;CO)(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;BU) --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>