March 2011, I've wrote about DLL HiJacking in VirtualBox. VirtualBox support says:
So I check this idea. I downloaded:
and all of this application was vulnerable to dll hiJacking (wintab32.dll).
Demo video:
But Oracle VirtualBox 4.1.2 wasn't vulnerable. Then I tried to find out for which version Qt this problem had been solved. And I'm found this text for Qt 4.7.1:
So if you are using Qt-based application I recommend update your Qt Libraries to =>4.7.1. Just download it from http://qt.nokia.com/downloads/ and replace files with mask QT*.dll at the same directory of executable file Qt-based application.
Links:
"This isn't DLL hijacking IMHO - you've spotted that Qt optionally loads
a library which normally isn't there at all.
If it is really security related, you'd need to report it to Nokia, as
they currently own Qt. We'd appreciate a pointer to the problem report
if possible, so that we can check what they're doing."
So I check this idea. I downloaded:
and all of this application was vulnerable to dll hiJacking (wintab32.dll).
Demo video:
But Oracle VirtualBox 4.1.2 wasn't vulnerable. Then I tried to find out for which version Qt this problem had been solved. And I'm found this text for Qt 4.7.1:
"QLibrary
* [QT-3825] System libraries are only loaded from the system directories."
So if you are using Qt-based application I recommend update your Qt Libraries to =>4.7.1. Just download it from http://qt.nokia.com/downloads/ and replace files with mask QT*.dll at the same directory of executable file Qt-based application.
Links:
- Original post in Russian
- See list of Qt-based application here
- Qt: Security announcement – Windows DLL preloading
- Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution - A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm