воскресенье, 30 октября 2011 г.

DLL hiJacking in Qt-based applications

March 2011, I've wrote about DLL HiJacking in VirtualBox. VirtualBox support says:
"This isn't DLL hijacking IMHO - you've spotted that Qt optionally loads
a library which normally isn't there at all.

If it is really security related, you'd need to report it to Nokia, as
they currently own Qt. We'd appreciate a pointer to the problem report
if possible, so that we can check what they're doing."

So I check this idea. I downloaded:

and all of this application was vulnerable to dll hiJacking (wintab32.dll).



Demo video:




But Oracle VirtualBox 4.1.2 wasn't vulnerable. Then I tried to find out for which version Qt this problem had been solved. And I'm found this text for Qt 4.7.1:

"QLibrary
* [QT-3825] System libraries are only loaded from the system directories."

So if you are using Qt-based application I recommend update your Qt Libraries to =>4.7.1. Just download it from http://qt.nokia.com/downloads/ and replace files with mask QT*.dll at the same directory of executable file Qt-based application.

Links:
  1. Original post in Russian
  2. See list of Qt-based application here
  3. Qt: Security announcement – Windows DLL preloading
  4. Microsoft Security Advisory (2269637)
    Insecure Library Loading Could Allow Remote Code Execution
  5. A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm