CVE-2022-31694 - Critical Vulnerability Found in InstallBuilder Qt Installers
A newly discovered vulnerability, CVE-2022-31694, affects InstallBuilder Qt installers built with versions previous to 22.10. This critical vulnerability may potentially allow an attacker to plant a malicious DLL in the installer parent directory that gets executed when certain popups are displayed. At its core, this vulnerability could provide an attacker access to execute code with the privileges of the installer.
Background
InstallBuilder Qt is a popular multi-platform installation tool used to create native and easy-to-use installers for various applications. Many developers rely on InstallBuilder Qt to ensure their applications are distributed and installed seamlessly across different devices.
Vulnerability Details
The critical vulnerability, CVE-2022-31694, stems from how InstallBuilder Qt loads DLLs from the installer binary parent directory when displaying popups. Due to this behavior, it may be possible for an attacker to place a malicious DLL in the installer parent directory, which gets executed with the same privileges as the installer when the popup triggers the loading of the library.
It's important to note that exploiting this type of vulnerability typically requires an attacker to have access to a vulnerable machine to plant the malicious DLL. The attack vector and complexity of this vulnerability make it a severe risk for any applications or installations using InstallBuilder Qt with versions previous to 22.10.
The following code snippet showcases an example of how an attacker might plant a malicious DLL
#include <iostream>
#include <Windows.h>
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
MessageBox(NULL, L"Malicious DLL loaded by InstallBuilder Qt", L"Exploit Successful", MB_OK);
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
In this example, the malicious DLL code displays a message box when it is successfully loaded by the installer. While this specific example is relatively benign, the attacker could include any code to be executed by the installer with its privileges.
Mitigation and Remediation
If you are using InstallBuilder Qt, it is strongly recommended that you update your software to the latest version, 22.10 or later, which addresses this vulnerability. You can find the latest version of InstallBuilder Qt here: https://installbuilder.com/download.html
For developers who have distributed software using vulnerable versions of InstallBuilder Qt, it is crucial to notify your users to update their software installations and ensure they are using a secure version of your application.
For more detailed information on this vulnerability, you can refer to the original references here
1. CVE-2022-31694 - Original Report
2. InstallBuilder Qt - Updates and Downloads
3. Microsoft - DLL Search Order Hijacking
Conclusion
CVE-2022-31694 serves as a reminder to developers to ensure they are using updated software and libraries in their projects. It is essential for users and developers alike to stay vigilant, update their software regularly, and follow best security practices to avoid falling victim to such exploits.
Timeline
Published on: 11/18/2022 23:15:00 UTC
Last modified on: 11/22/2022 20:31:00 UTC