VU#411271: Qt allows for privilege escalation due to hard-coding of qt_prfxpath value

VU#411271: Qt allows for privilege escalation due to hard-coding of qt_prfxpath value

Overview

Prior to version 5.14, Qt hard-codes the qt_prfxpath value to a fixed value, which may lead to privilege escalation vulnerabilities in Windows software that uses Qt.

Description

Prior to version 5.14, Qt hard-codes the qt_prfxpath value to a value that reflects the path where Qt exists on the system that was used to build Qt. For example, it may refer to a specific subdirectory within C:Qt, which is the default installation location for Qt on Windows. If software that is built with Qt runs with privileges on a Windows system, this may allow for privilege escalation due to the fact that Windows by default allows unprivileged users to create subdirectories off of the root C: drive location.

In 2015, a patch was made to windeployqt to strip out any existing qt_prfxpath value from Qt5Core.dll. If Windows software that uses Qt prior to version 5.14 is not properly packaged using windeployqt, then it may be vulnerable to privilege escalation.

Impact

By placing a file in an appropriate location on a Windows system, an unprivileged attacker may be able to execute arbitrary code with the privileges of the software that uses Qt.

Solution

Apply an update

This issue is addressed in Qt 5.14. Starting with this version, Qt no longer hard-codes the qt_prfxpath value in Qt5Core.dll.

Run windeployqt to prepare Windows Qt software for deployment

The windeployqt utility will replace the qt_prfxpath value in the Qt core DLL with the value of ., which helps prevent this path from being used to achieve privilege escalation.

Acknowledgements

This document was written by Will Dormann.

Vendor Information

One or more vendors are listed for this advisory. Please reference the full report for more information.

Other Information

CVE IDs:

CVE-2022-26873

Date Public:

2010-10-10
Date First Published:
2022-04-28
Date Last Updated:
2022-04-29 16:35 UTC
Document Revision:
4

%d bloggers like this: