Mend Vulnerability Database
What is a CVE vulnerability ID? What is a WS vulnerability ID?New vulnerability? Tell us about it!
We found results for “”
Date: September 20, 2022
OverviewNotepad++ versions 8.4.1 and before are vulnerable to DLL hijacking.
DetailsNotepad++ versions 8.4.1 and before are vulnerable to DLL hijacking where an attacker can replace the vulnerable dll (UxTheme.dll) with his own dll and run arbitrary code in the context of Notepad++. This technique will allow the attacker to evade EDR and AV.
The attacker can replace the mentioned dll as the application runs from “c:\\program files\\” path which regular users have write/edit permissions.
PoC Details1. Compile the attached source code DLL file.
2. Rename the compiled DLL file to ‘UxTheme.dll’ and copy both ‘notepad++.exe’ and ‘UxTheme.dll’ files to a new folder.
3. Run ‘notepad++.exe’ and watch the messagebox.
Affected EnvironmentsNotepad++ versions v8.3 through v8.4.4
PreventionUpgrade to Notepad++ version v8.4.5
Good to know:
|Attack Vector (AV):||Local|
|Attack Complexity (AC):||Low|
|Privileges Required (PR):||High|
|User Interaction (UI):||Required|