# Software Engineering Institute

## Qt allows for privilege escalation due to hard-coding of qt_prfxpath value

#### Vulnerability Note VU#411271

Original Release Date: 2022-04-28 | Last Revised: 2022-04-29

### Overview

Prior to version 5.14, Qt hard-codes the qt_prfxpath value to a fixed value, which may lead to privilege escalation vulnerabilities in Windows software that uses Qt.

### Description

Prior to version 5.14, Qt hard-codes the qt_prfxpath value to a value that reflects the path where Qt exists on the system that was used to build Qt. For example, it may refer to a specific subdirectory within C:\Qt\, which is the default installation location for Qt on Windows. If software that is built with Qt runs with privileges on a Windows system, this may allow for privilege escalation due to the fact that Windows by default allows unprivileged users to create subdirectories off of the root C:\ drive location.

In 2015, a patch was made to windeployqt to strip out any existing qt_prfxpath value from Qt5Core.dll. If Windows software that uses Qt prior to version 5.14 is not properly packaged using windeployqt, then it may be vulnerable to privilege escalation.

### Impact

By placing a file in an appropriate location on a Windows system, an unprivileged attacker may be able to execute arbitrary code with the privileges of the software that uses Qt.

### Solution

#### Apply an update

This issue is addressed in Qt 5.14. Starting with this version, Qt no longer hard-codes the qt_prfxpath value in Qt5Core.dll.

#### Run windeployqt to prepare Windows Qt software for deployment

The windeployqt utility will replace the qt_prfxpath value in the Qt core DLL with the value of ., which helps prevent this path from being used to achieve privilege escalation.

### Acknowledgements

This document was written by Will Dormann.

411271

### MiniTool Affected

Updated: 2022-04-28

 CVE-2022-26873 Affected

#### Vendor Statement

We have not received a statement from the vendor.

MiniTool ShadowMaker versions 1.0 and 3.0 beta are vulnerable. ShadowMaker version 3.6 properly strips out the qt_prfxpath variable, so it is not vulnerable.

### Qt Affected

Updated: 2022-04-28

 CVE-2022-26873 Affected

#### Vendor Statement

We have not received a statement from the vendor.

Qt version 5.14 and later do not have a hard-coded path stored as qt_prfxpath. Qt versions prior to 5.14 require windeployqt to replace any hard-coded path in Qt5Core.dll with ., or the software that uses Qt may be vulnerable to privilege escalation on Windows.

### Tychon Affected

Notified:  2022-03-23 Updated: 2022-04-28

Statement Date:   April 27, 2022

 CVE-2022-26873 Affected

#### Vendor Statement

CVE-2022-26873 has been resolved with a binary patch to the QT library TYCHON uses. The TYCHON Endpoint version 1.7.857.82 contains the fix to this vulnerability.

### Other Information

 CVE IDs: CVE-2022-26873 Date Public: 2010-10-10 Date First Published: 2022-04-28 Date Last Updated: 2022-04-29 16:35 UTC Document Revision: 4