Notepad++: Stack overflow in XML Parsing

2019-01-16T11:03:23
ID H1:480883
Type hackerone
Reporter ammm
Modified 2019-08-25T12:50:13

Description

Summary:

A stack buffer overflow vulnerability has been detected in XML parsing functionality on Notepad++.

That's due to the fact that _invisibleEditView.getText function doesn't check buffer boundaries.

Description: Vulnerability src file: notepad-plus-plus/PowerEditor/src/Notepad_plus.cpp Vulnerability line: line 1008 Variable affected: char encodingStr[128]; Function that overflows buffer: _invisibleEditView.getText

Steps To Reproduce:

  1. Create a .xml file with a correct XML format
  2. Introduce a big XML field that overflows "encodingStr" buffer.
  3. Open the file with Notepad++ and application should crash.

Supporting Material/References:

  • BoF_example1.xml -> Exploit example

Impact

An attacker could create a malicious .xml file that triggers a stack buffer overflow on victim machine.

You only need to open attached .xml file example with Notepad++ to reproduce the exploit.