Skip to content

CDACesec/CVE-2022-31901

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 

CVE-2022-31901

  • Denial Of Services (DOS) in Notepad++(x86) in 8.4.3 and before.

Description

  • Vulnerability triggering, via opening two specially crafted text files (e.g. first.txt & second.txt) as input to notepad++.

As an illustrative example below, as of 11/07/2022, latest version of Notepad++(x86) is 8.4.3 is used. Notepad

Proof of Concept -

  • Open the two example input files first.txt & second.txt in Notepad++ in any order.

Result :

NotepadCrash

Visual Studio 2019 Dump Analysis

NotepadCrash

Here we can see the problem to parse these files in ScintallComponent -> Editor.h -> Line number 690.

Root Cause Analysis

  • When notepad++ opens any file it calls a function notepad_plus::addHotSpot which creates heap memory with new operator and stores the return address in widetext variable TCHAR *wideText = new TCHAR[endPos - startPos + 1];. Since it requests for large allocation, new returns bad_alloc which is not handled in notepad++ and results in DoS.

  • So it can be said that, opening the two example files with Notepad++(x86) <= 8.4.3 is leading to Denial of Service.

Tested Versions

The vulnerability is tested to work on following version:

  • Notepad++ 8.3.2 32-bit
  • Notepad++ 8.3.3 32-bit.
  • Notepad++ 8.4.0 32-bit.
  • Notepad++ 8.4.1 32-bit.
  • Notepad++ 8.4.2 32-bit.
  • Notepad++ 8.4.3 32-bit.

Tested Environment

  • Windows 11 - 22563.1000 64 bit
  • Windows 10 - 10.0.19042.1586 64-bit
  • Windows 10 - 10.0.19044.1706 64-bit

Update

  • As of 05-01-2023, this issue still persists in the Notepad++ versions 8.4.8 (32-bit) and before.
  • As of 01-02-2023, this issue still persists in the Notepad++ versions 8.4.9 (32-bit) and before.

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published