{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/411271#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\n\r\nPrior to version 5.14, Qt hard-codes the `qt_prfxpath` value to a fixed value, which may lead to privilege escalation vulnerabilities in Windows software that uses Qt.\r\n\r\n### Description\r\n\r\nPrior to version 5.14, Qt hard-codes the `qt_prfxpath` value to a value that reflects the path where Qt exists on the system that was used to build Qt. For example, it may refer to a specific subdirectory within `C:\\Qt\\`, which is the default installation location for Qt on Windows. If software that is built with Qt runs with privileges on a Windows system, this may allow for privilege escalation due to the fact that Windows by default allows unprivileged users to create subdirectories off of the root `C:\\` drive location.\r\n\r\nIn 2015, a [patch](https://codereview.qt-project.org/gitweb?p=qt%2Fqttools.git&a=commit&h=c2952ff8df1e18fe0120d8b29901b0b794afccc7) was made to [windeployqt](https://doc.qt.io/qt-5/windows-deployment.html) to strip out any existing `qt_prfxpath` value from `Qt5Core.dll`. If Windows software that uses Qt prior to version 5.14 is not properly packaged using windeployqt, then it may be vulnerable to privilege escalation.\r\n\r\n### Impact\r\nBy placing a file in an appropriate location on a Windows system, an unprivileged attacker may be able to execute arbitrary code with the privileges of the software that uses Qt.\r\n\r\n### Solution\r\n\r\n#### Apply an update\r\nThis issue is addressed in Qt 5.14. Starting with this version, Qt no longer hard-codes the `qt_prfxpath` value in `Qt5Core.dll`.\r\n\r\n#### Run windeployqt to prepare Windows Qt software for deployment\r\nThe windeployqt utility will replace the `qt_prfxpath` value in the Qt core DLL with the value of `.`, which helps prevent this path from being used to achieve privilege escalation.\r\n\r\n\r\n### Acknowledgements\r\n\r\nThis document was written by Will Dormann.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"MiniTool ShadowMaker versions 1.0 and 3.0 beta are vulnerable. ShadowMaker version 3.6 properly strips out the `qt_prfxpath` variable, so it is not vulnerable.","title":"CERT/CC comment on MiniTool notes"},{"category":"other","text":"Qt version 5.14 and later do not have a hard-coded path stored as `qt_prfxpath`. Qt versions prior to 5.14 require [windeployqt](https://doc.qt.io/qt-5/windows-deployment.html) to replace any hard-coded path in `Qt5Core.dll` with `.`, or the software that uses Qt may be vulnerable to privilege escalation on Windows.","title":"CERT/CC comment on Qt notes"},{"category":"other","text":"CVE-2022-26873 has been resolved with a binary patch to the QT library TYCHON uses.  The TYCHON Endpoint version 1.7.857.82 contains the fix to this vulnerability.","title":"Vendor statment from Tychon"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/411271"},{"url":"https://codereview.qt-project.org/gitweb?p=qt%2Fqttools.git&a=commit&h=c2952ff8df1e18fe0120d8b29901b0b794afccc7","summary":"https://codereview.qt-project.org/gitweb?p=qt%2Fqttools.git&a=commit&h=c2952ff8df1e18fe0120d8b29901b0b794afccc7"},{"url":"https://bugreports.qt.io/browse/QTBUG-15234","summary":"https://bugreports.qt.io/browse/QTBUG-15234"},{"url":"https://doc.qt.io/qt-5/windows-deployment.html","summary":"https://doc.qt.io/qt-5/windows-deployment.html"}],"title":"Qt allows for privilege escalation due to hard-coding of qt_prfxpath value","tracking":{"current_release_date":"2022-04-29T16:35:56+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#411271","initial_release_date":"2010-10-10 00:00:00+00:00","revision_history":[{"date":"2022-04-29T16:35:56+00:00","number":"1.20220429163556.4","summary":"Released on 2022-04-29T16:35:56+00:00"}],"status":"final","version":"1.20220429163556.4"}},"vulnerabilities":[{"title":"Qt prior to 5.","notes":[{"category":"summary","text":"Qt prior to 5.14 hard-codes a qt_prfxpath variable to a directory that is writable by an unprivileged Windows user, which may allow for privilege escalation."}],"cve":"CVE-2022-26873","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#411271"}],"product_status":{"known_affected":["CSAFPID-66a2cc66-39d8-11f1-8422-122e2785dc9f","CSAFPID-66a3078a-39d8-11f1-8422-122e2785dc9f","CSAFPID-66a34bb4-39d8-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"MiniTool","product":{"name":"MiniTool Products","product_id":"CSAFPID-66a2cc66-39d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Qt","product":{"name":"Qt Products","product_id":"CSAFPID-66a3078a-39d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Tychon","product":{"name":"Tychon Products","product_id":"CSAFPID-66a34bb4-39d8-11f1-8422-122e2785dc9f"}}]}}