Notepad++ 6.9.2 DLL Hijacking

2016-07-08T00:00:00
ID PACKETSTORM:137817
Type packetstorm
Reporter Himanshu Mehta
Modified 2016-07-08T00:00:00

Description

                                        
                                            `Aloha,  
  
*npp.6.9.2.Installer.exe* loads and executes dwmapi.dll from its  
"application directory".  
  
For software downloaded with a web browser the applicationdirectory is  
typically the user's "Downloads" directory: see <  
https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html  
>,  
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html  
>  
and <http://seclists.org/fulldisclosure/2012/Aug/134> for "prior art" about  
this well-known and well-documented vulnerability.  
  
  
If an attacker places one of the above named DLL in the user's "Downloads"  
directory (for example per "drive-by download" or "social engineering")  
this vulnerability becomes a remote code execution.  
  
Notepad++ contains a DLL hijacking vulnerability that could allow an  
unauthenticated, remote attacker to execute arbitrary code on the targeted  
system. This vulnerability exists due to some DLL file is loaded by  
‘npp.6.9.2.Installer.exe’ improperly. And it allows an attacker to load  
this DLL file of the attacker’s choosing that could execute arbitrary code  
without the user's knowledge.  
  
Affected Product:  
  
Notepad++ 6.9.2  
Download Link:  
https://notepad-plus-plus.org/news/notepad-6.9.2-released.html  
  
Impact  
  
Attacker can exploit the vulnerability to load a DLL file of the attacker's  
choosing that could execute arbitrary code. This may help attacker to  
Successful exploits the system if user creates shell as a DLL.  
  
Vulnerability Scoring Details  
  
The vulnerability classification has been performed by using the CVSSv2  
scoring system (http://www.first.org/cvss/).  
Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)  
  
  
Proof of concept/demonstration:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
1. Create malicious dll file and save it as dwmapi.dll in your "Downloads"  
directory.  
  
2. Download npp.6.9.2.Installer.exe from  
https://notepad-plus-plus.org/download/v6.9.2.html  
and save it in your "Downloads" directory.  
  
3. Execute npp.6.9.2.Installer.exe from your "Downloads" directory.  
  
4. Malicious dll file gets executed.  
  
Chao!!  
  
Himanshu Mehta  
`