[Development] New Qt vulnerabilities

Thiago Macieira thiago.macieira at intel.com
Thu Jan 30 19:55:04 CET 2020

On Thursday, 30 January 2020 09:09:47 PST Olivier Goffart wrote:
> > This is similar to a TOCTOU attack, but I couldn't come up with a
> > reasonable attack scenario. If the interposing DLL has metadata saying
> > not to load, QLibrary will find the actual plugin later and will load
> > that. The worst that could happen is that the interposing DLL has valid
> > but incorrect metadata causing another DLL to be loaded that shouldn't
> > be. This other DLL isn't under the control of the attacker, though and
> > neither is the name of the DLL.
> I think a reasonable attack scenario remains if the plugin does not exist in
> the system.

You're talking about an application that attempts to load an optional plugin 
with no pathname?

I didn't test that. I don't know if LoadLibrary() searches $PWD at all. I only 
tested non-optional plugins in the proof of concept.

Thiago Macieira - thiago.macieira (AT) intel.com
  Software Architect - Intel System Software Products

More information about the Development mailing list