[Development] New Qt vulnerabilities
Thiago Macieira
thiago.macieira at intel.com
Thu Jan 30 17:12:27 CET 2020
On Thursday, 30 January 2020 03:05:50 PST Olivier Goffart wrote:
> $PWD is not the same as the binary dir
> (QCoreApplication::applicationDirPath) The later is still searched while
> looking for plugin. (so that covers the case where plugin is in the folder
> next to the binary)
>
> But I am also not sure why Windows is not affected.
Because LoadLibrary() works differently from dlopen().
The Qt plugin loader code will open the DLL relative to $PWD and inspect its
plugin metadata, in order to decide whether to load or not. Then it tells
LoadLibrary to load a plain filename with no path components and LoadLibrary()
goes and searches the system paths (which include the .exe's) first. So it
loads a different file.
This is similar to a TOCTOU attack, but I couldn't come up with a reasonable
attack scenario. If the interposing DLL has metadata saying not to load,
QLibrary will find the actual plugin later and will load that. The worst that
could happen is that the interposing DLL has valid but incorrect metadata
causing another DLL to be loaded that shouldn't be. This other DLL isn't under
the control of the attacker, though and neither is the name of the DLL.
--
Thiago Macieira - thiago.macieira (AT) intel.com
Software Architect - Intel System Software Products
More information about the Development
mailing list