New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DLL hijacking in Notepad++ version 8.5.4 #13964
Comments
Examples using Program Files is a bit silly (IMHO) since only admins can write there anyway. Your steps to reproduce should start with In Process Monitor, if you double-click one of the entries and look at the call stack, I would bet that it is not Notepad++ that is loading these directly but rather some other Microsoft code and you should be reporting the issue to them. iertutil just contains undocumented functions used by the shell. Calling SetDefaultDllDirectories early in WinMain might prevent some of these but can also cause issues with 3rd-party shell extensions in the open/save dialog if they rely on %path% and use relative paths in the registry... |
Hello, There was a similar case: #12113 - this was categorized as a security issue and a CVE was issued for it: https://nvd.nist.gov/vuln/detail/CVE-2022-32168 About this "I would bet that it is not Notepad++ that is loading these directly but rather some other Microsoft code and you should be reporting the issue to them", you are partially right. But my kind question is why the reverse shell comes from notepad++.exe process? This indicates that the notepad++.exe is loading and executing some untrusted/unsigned DLLs that could be planted by malicious actors. If you want to find more about this technique please see this: https://www.crowdstrike.com/blog/dll-side-loading-how-to-combat-threat-actor-evasion-techniques/ This issue with DLL hijacking is based on the DLL search order which is as follows:
When notepad++.exe runs it is looking first for those 3 DLLs into C:\Program Files\Notepad++. Since they are not there and an attacker can place them, they will be executed prior to the legitimate DLLs located in C:\Windows\System32. Reproduce the issue without admin rights
CWE ListCWE-427: Uncontrolled Search Path Element Recommendations:
Impact:Unauthorized Code Execution: By replacing a legitimate DLL with a malicious one, an attacker can execute arbitrary code within the context of the vulnerable application. This could lead to a variety of attacks, such as remote code execution or even full system compromise. Application Manipulation: DLL hijacking can allow an attacker to modify the behavior of the targeted application, potentially causing erratic behavior, crashes, or other unexpected outcomes. Bypassing Security Measures: If the vulnerable application relies on the legitimate DLL to implement security features, a malicious replacement could bypass or disable these security measures. Persistence: If the DLL hijacking attack is successful, it can provide a persistent foothold on the system, allowing the attacker to maintain access even after system reboots or software updates. Difficulty in Detection: DLL hijacking can be challenging to detect because the compromised DLL often looks like a legitimate file, and the malicious code might remain dormant until triggered. |
Because Windows does not keep track of which dll that created the socket. A common example of this is, let's say Notepad++ calls shell32::Foo and Microsoft implemented Foo as void Foo() {
if (something()) Bar();
} Bar is implemented in iertutil and the linker settings has set iertutil to be delay loaded. If Foo is called, iertutil will be loaded by the delay load hook without a full path to system32 and you get the issue seen here. Having Notepad++ manually load iertutil with a full path before calling Foo will fix the issue but it is a game of whack-a-mole that makes assumptions about internal Microsoft code. I don't expect you to actually report this to Microsoft because just knowing where to report it is hard and they are just going to ignore you anyway. This issue has been around for 20 years, they don't care. |
@sredna - Thank you for clarifying this! Let's wait for @donho to advise on this. As I mentioned, a similar issue with (UxTheme.dll) was identified here: #12113 - this was categorized as a security issue and a CVE was issued for it: https://nvd.nist.gov/vuln/detail/CVE-2022-32168 Thank you! |
While the end result might be the same, the cause is different. Notepad++ actively uses functions in UxTheme, it never knowingly uses iertutil nor TextShaping! Microsoft could easily fix this for all Windows dlls by using a custom delay load helper:
All Microsoft would have to do is to use a custom In the end, Notepad++ will probably have to work around this by calling |
UxTheme.dll & the dll in issue #12113 are loaded directly by Notepad++, so it's the responsibility of Notepad++ to make them be loaded securely. Whereas the 3 dll pointed out in this issue (and I believe there are many more) are loaded by the system (ie. not directly by Notepad++). Furthermore, via Notepad++ installer, the default installation directory is As a result, it's not the security issue in Notepad++ to me. |
Notepad++ versions 8.5.4 and earlier are vulnerable to DLL hijacking, which allows attackers to execute arbitrary code by placing any of the following DLLs in the same directory as notepad++.exe:
Steps to Reproduce the Issue
Expected Behavior
notepad++.exe application should not look during runtime for inexistent DLLs.
Actual Behavior
notepad++.exe application is loading and executing the malicious provided DLLs leading to arbitrary code execution.
Note: All of the NOT FOUND DLLs were tested but the other did not worked due to the entry points generating errors during runtime.
The text was updated successfully, but these errors were encountered: