CVE-2022-25255: QProcess Vulnerability Allows Execution of Unauthorized Binaries in Qt 5 and 6 on Linux and UNIX systems

A recently discovered security vulnerability, identified as CVE-2022-25255, has been found to affect Qt versions 5.9.x through 5.15.x before 5.15.9, and 6.x before 6.2.4 on Linux and UNIX systems. The Qt framework is a widely used C++ library that enables developers to create cross-platform applications with ease. This vulnerability pertains to a specific class within the Qt framework called QProcess, which could end up executing a binary from the current working directory when it is not found in the PATH environment variable. In this article, we will take a deeper dive into the details of this critical vulnerability, provide you with a code snippet illustrating the issue, and discuss potential exploit scenarios.

Exploit Details

When using QProcess to start external processes, the Qt framework typically searches for the executable binary in the directories listed in the PATH environment variable. However, in the affected versions of Qt, if the QProcess class doesn't find the specified binary in the PATH, it falls back to looking for the binary in the current working directory. This behavior can be exploited to make an application run malicious code from an unauthorized binary in the current working directory. Let's take a look at an example code snippet illustrating this vulnerability.

Code Snippet

#include <QCoreApplication>
#include <QProcess>
#include <QDebug>

int main(int argc, char *argv[])
{
    QCoreApplication a(argc, argv);

    QProcess process;

    // Attempt to execute some_binary without specifying its full path.
    process.start("some_binary");

    if (process.waitForStarted()) {
        process.waitForFinished();
    } else {
        qWarning() << "Failed to start the process!";
    }

    return ;
}

In this code snippet, we use QProcess to start an external binary called some_binary. The problem arises when the desired binary is not found within the PATH. QProcess then looks for this binary in the current working directory and might end up executing a malicious binary with the same name that an attacker has placed there.

The official Qt advisory can be found here

- Qt Advisory for CVE-2022-25255

Official Patches and Releases with Fixes

- Qt 5.15.9 Release
- Qt 6.2.4 Release

Risk Assessment and Mitigation

The risk posed by this vulnerability is significant as it could allow an attacker to execute arbitrary code on a victim's machine, especially if the affected application has elevated privileges. To mitigate this issue, developers should start by upgrading their Qt framework versions to the latest releases that contain the security fixes for CVE-2022-25255 (5.15.9 for Qt 5 and 6.2.4 for Qt 6). Furthermore, they should avoid using QProcess to execute binaries without providing the full path to the executable, as this could prevent fallback to the current working directory.

In closing, while this vulnerability poses a substantial risk, following the recommended practices will minimize the potential for exploitation. Developers should always keep their software libraries up-to-date and be aware of any known security vulnerabilities. Stay vigilant, and always apply security patches promptly to ensure the safety of your applications and infrastructure.

Timeline

Published on: 02/16/2022 19:15:00 UTC
Last modified on: 02/28/2022 16:18:00 UTC