Applications developed using the Qt5 GUI framework are vulnerable to remote code execution vulnerabilities. An attacker can exploit this vulnerability by configuring a custom protocol handler with a little-known command line argument.
Many developers don’t know that when using the Qt5 framework, it adds command-line arguments that can be used to modify how the framework works, such as the window title, window size, and even icons to display. These command line arguments are passed to the functions that initialize the Qt framework and then parsed in them.
The little-known command line argument mentioned above is the platformpluginpath command, which specifies which folder to load the Qt5 plugin from, which can be a local folder or a remote UNC URL. When this parameter is supplied to the program, the program will use the Qt plugin of the imported path loader, which is a specially crafted DLL program loaded by the framework to extend its functionality.
This means that if an attacker hosts a malicious DLL on a remote UNC and can start the program using the platformpluginpath parameter, the attacker can remotely load the DLL and execute it for remote code execution.
However, as can be seen from the above, an attacker needs to have three elements to launch such an attack:
- Be a GUI application that utilizes the Qt5 framework.
- Load Qt5 plugins
- Register a custom URI handler
To alleviate this type of attack, “applications need to sanitize the command line arguments so that remote shares are stripped or the platformpluginpath argument is removed.”