[Development] New Qt vulnerabilities
Henry Skoglund
henry at tungware.se
Thu Jan 30 18:53:58 CET 2020
On 2020-01-30 18:09, Olivier Goffart wrote:
> On 30/01/20 17:12, Thiago Macieira wrote:
>> On Thursday, 30 January 2020 03:05:50 PST Olivier Goffart wrote:
>>> $PWD is not the same as the binary dir
>>> (QCoreApplication::applicationDirPath) The later is still searched
>>> while
>>> looking for plugin. (so that covers the case where plugin is in the
>>> folder
>>> next to the binary)
>>>
>>> But I am also not sure why Windows is not affected.
>>
>> Because LoadLibrary() works differently from dlopen().
>>
>> The Qt plugin loader code will open the DLL relative to $PWD and
>> inspect its
>> plugin metadata, in order to decide whether to load or not. Then it
>> tells
>> LoadLibrary to load a plain filename with no path components and
>> LoadLibrary()
>> goes and searches the system paths (which include the .exe's) first.
>> So it
>> loads a different file.
>>
>> This is similar to a TOCTOU attack, but I couldn't come up with a
>> reasonable
>> attack scenario. If the interposing DLL has metadata saying not to load,
>> QLibrary will find the actual plugin later and will load that. The
>> worst that
>> could happen is that the interposing DLL has valid but incorrect
>> metadata
>> causing another DLL to be loaded that shouldn't be. This other DLL
>> isn't under
>> the control of the attacker, though and neither is the name of the DLL.
>
> I think a reasonable attack scenario remains if the plugin does not
> exist in the system.
>
Hi, since Qt's plugin loader does not care what the filename is, as long
as it ends with .dll (i.e. if you rename qwindows.dll to grapefruit.dll
it will still be loaded), isn't an attack always possible?
More information about the Development
mailing list