Vuln

Through a little known command line argument, applications that configure custom protocol handlers and are are developed using the Qt5 graphical user interface framework can be exposed to a remote code execution vulnerability.

What many developers don't know is that when you use the Qt5 framework, it also adds command line arguments that can be used to modify how the framework works, such as what window title to show, the size of the window, or even its icon.

These command line arguments are passed to the function that initializes the Qt framework, where they are then parsed as shown below.

Qt Sample Code
Qt Sample Code

One command line argument that is not well known is the platformpluginpath command, which specifies what folder Qt5 plugins are loaded from. This location can be a local folder or a remote UNC url.

When this argument is provided, the program will use the inputted path to load the program's Qt plugins, which are specially crafted DLL programs that get loaded by the framework to extend its functionality.

This means that if an attacker hosts a malicious DLL on a remote UNC share and can start the program using the platformpluginpath argument, they can remote load the DLL and execute it.

Forging an RCE exploit

In a report by Zero Day Initiative, security researcher Ziad Badawi explains how Qt5 based applications that create a custom URI handler and do not properly sanitize their command line arguments are vulnerable to remote code execution simply by clicking on a link on a web site.

To illustrate how this command line argument can be used, ZDI showed how two previously reported and resolved vulnerabilities in Malwarebytes (CVE-2019-6739) and Cisco WebEx (CVE-2019-1636) were affected by this vulnerability.

Using Malwarebytes as an example, when the program is installed it will create a custom URI handler called "malwarebytes".  When users click on a link like malwarebytes://www.example.com, Windows will open the assistant.exe program using the command assistant.exe -uri www.example.com.

Registry Entries for Custom Protocol Handler
Malwarebytes Custom URI Handler

To cause assistant.exe to remotely load and execute a malicious DLL, an attacker can simply create or alter a web page to load an iframe using the custom malwarebytes URI protocol as its source. This source url, though, will also utilize the platformpluginpath command line argument and have it point to the remote UNC share where the Qt5 plugins will be loaded.

Example Malwarebytes Exploit
Malwarebytes Exploit

When this happens, assistant.exe will be launched with the command assistant.exe -platformpluginpath \\192.168.131.152\share, which will cause any plugins to be loaded from the remote share folder.

In order for a DLL to be loaded this way by the Qt framework, they have to be crafted a certain way, which took a bit of experimentation by Badawi to figure out.

"Creating that malicious DLL might seem trivial to Qt5 developers, but it initially wasn’t for us. Having no experience in Qt5, compiling a specially crafted DLL that will be loaded by Qt5 took some time. After spending a while trying to figure out the reason for the file not being loaded and its “DllMain” not being executed, we dove a bit deeper into the Qt core to find out that the missing piece was a PE section named .qtmetad. It turns out that a metadata section is required to be present in DLL plugins for them to be identified by Qt5. That section contains details about the plugin and the data it handles like mime types. Copying the section contents from another valid plugin like “qgif.dll” should do the trick."

Once Badawi was able to create a malicious Qt5 plugin DLL, it was easy to exploit the vulnerability in Malwaresbytes.

The Cisco WebEx vulnerability worked exactly the same way but with the custom URI handler of ciscospark://.

Mitigating this exploit

In order for a Qt5 based program to be affected by this vulnerability, it must have the following requirements:

  1. Be a GUI application that utilizes the Qt5 framework.
  2. Load Qt5 plugins
  3. Register a custom URI handler

In order to mitigate this type of exploit, Badawi told BleepingComputer that applications need to sanitize the command line arguments so that remote shares are stripped or the platformpluginpath argument is removed.

Once the arguments have been sanitized, the application can then pass the arguments on to the Qt5 framework without worry about them being abused.

While resolving this vulnerability is simple to do, Badawi was more concerned that most people do not even know this command line argument exists and thus must be sanitized to prevent abuse.

Related Articles:

Critical Erlang/OTP SSH RCE bug now has public exploits, patch now

Critical Erlang/OTP SSH pre-auth RCE is 'Surprisingly Easy' to exploit, patch now

ASUS warns of critical auth bypass flaw in routers using AiCloud

Windows NTLM hash leak flaw exploited in phishing attacks on governments

Apple fixes two zero-days exploited in targeted iPhone attacks