[Development] New Qt vulnerabilities
Thiago Macieira
thiago.macieira at intel.com
Thu Jan 30 19:55:04 CET 2020
On Thursday, 30 January 2020 09:09:47 PST Olivier Goffart wrote:
> > This is similar to a TOCTOU attack, but I couldn't come up with a
> > reasonable attack scenario. If the interposing DLL has metadata saying
> > not to load, QLibrary will find the actual plugin later and will load
> > that. The worst that could happen is that the interposing DLL has valid
> > but incorrect metadata causing another DLL to be loaded that shouldn't
> > be. This other DLL isn't under the control of the attacker, though and
> > neither is the name of the DLL.
> I think a reasonable attack scenario remains if the plugin does not exist in
> the system.
You're talking about an application that attempts to load an optional plugin
with no pathname?
I didn't test that. I don't know if LoadLibrary() searches $PWD at all. I only
tested non-optional plugins in the proof of concept.
--
Thiago Macieira - thiago.macieira (AT) intel.com
Software Architect - Intel System Software Products
More information about the Development
mailing list