{"vuid":"VU#411271","idnumber":"411271","name":"Qt allows for privilege escalation due to hard-coding of qt_prfxpath value","keywords":null,"overview":"### Overview\r\n\r\nPrior to version 5.14, Qt hard-codes the `qt_prfxpath` value to a fixed value, which may lead to privilege escalation vulnerabilities in Windows software that uses Qt.\r\n\r\n### Description\r\n\r\nPrior to version 5.14, Qt hard-codes the `qt_prfxpath` value to a value that reflects the path where Qt exists on the system that was used to build Qt. For example, it may refer to a specific subdirectory within `C:\\Qt\\`, which is the default installation location for Qt on Windows. If software that is built with Qt runs with privileges on a Windows system, this may allow for privilege escalation due to the fact that Windows by default allows unprivileged users to create subdirectories off of the root `C:\\` drive location.\r\n\r\nIn 2015, a [patch](https://codereview.qt-project.org/gitweb?p=qt%2Fqttools.git&a=commit&h=c2952ff8df1e18fe0120d8b29901b0b794afccc7) was made to [windeployqt](https://doc.qt.io/qt-5/windows-deployment.html) to strip out any existing `qt_prfxpath` value from `Qt5Core.dll`. If Windows software that uses Qt prior to version 5.14 is not properly packaged using windeployqt, then it may be vulnerable to privilege escalation.\r\n\r\n### Impact\r\nBy placing a file in an appropriate location on a Windows system, an unprivileged attacker may be able to execute arbitrary code with the privileges of the software that uses Qt.\r\n\r\n### Solution\r\n\r\n#### Apply an update\r\nThis issue is addressed in Qt 5.14. Starting with this version, Qt no longer hard-codes the `qt_prfxpath` value in `Qt5Core.dll`.\r\n\r\n#### Run windeployqt to prepare Windows Qt software for deployment\r\nThe windeployqt utility will replace the `qt_prfxpath` value in the Qt core DLL with the value of `.`, which helps prevent this path from being used to achieve privilege escalation.\r\n\r\n\r\n### Acknowledgements\r\n\r\nThis document was written by Will Dormann.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["https://codereview.qt-project.org/gitweb?p=qt%2Fqttools.git&a=commit&h=c2952ff8df1e18fe0120d8b29901b0b794afccc7","https://bugreports.qt.io/browse/QTBUG-15234","https://doc.qt.io/qt-5/windows-deployment.html"],"cveids":["CVE-2022-26873"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2022-04-28T13:03:12.503402Z","publicdate":"2010-10-10T00:00:00Z","datefirstpublished":"2022-04-28T13:03:12.520093Z","dateupdated":"2022-04-29T16:35:56.269480Z","revision":4,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":67}