Reporter Himanshu Mehta
*npp.6.9.2.Installer.exe* loads and executes dwmapi.dll from its
For software downloaded with a web browser the applicationdirectory is
typically the user's "Downloads" directory: see <
and <http://seclists.org/fulldisclosure/2012/Aug/134> for "prior art" about
this well-known and well-documented vulnerability.
If an attacker places one of the above named DLL in the user's "Downloads"
directory (for example per "drive-by download" or "social engineering")
this vulnerability becomes a remote code execution.
Notepad++ contains a DLL hijacking vulnerability that could allow an
unauthenticated, remote attacker to execute arbitrary code on the targeted
system. This vulnerability exists due to some DLL file is loaded by
‘npp.6.9.2.Installer.exe’ improperly. And it allows an attacker to load
this DLL file of the attacker’s choosing that could execute arbitrary code
without the user's knowledge.
Attacker can exploit the vulnerability to load a DLL file of the attacker's
choosing that could execute arbitrary code. This may help attacker to
Successful exploits the system if user creates shell as a DLL.
Vulnerability Scoring Details
The vulnerability classification has been performed by using the CVSSv2
scoring system (http://www.first.org/cvss/).
Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Proof of concept/demonstration:
1. Create malicious dll file and save it as dwmapi.dll in your "Downloads"
2. Download npp.6.9.2.Installer.exe from
and save it in your "Downloads" directory.
3. Execute npp.6.9.2.Installer.exe from your "Downloads" directory.
4. Malicious dll file gets executed.