icon

We found results for “

CVE-2022-32168

Date: September 20, 2022

Overview

Notepad++ versions 8.4.1 and before are vulnerable to DLL hijacking.

Details

Notepad++ versions 8.4.1 and before are vulnerable to DLL hijacking where an attacker can replace the vulnerable dll (UxTheme.dll) with his own dll and run arbitrary code in the context of Notepad++. This technique will allow the attacker to evade EDR and AV.
The attacker can replace the mentioned dll as the application runs from “c:\\program files\\” path which regular users have write/edit permissions.

PoC Details

1. Compile the attached source code DLL file.
2. Rename the compiled DLL file to ‘UxTheme.dll’ and copy both ‘notepad++.exe’ and ‘UxTheme.dll’ files to a new folder.
3. Run ‘notepad++.exe’ and watch the messagebox.

Affected Environments

Notepad++ versions v8.3 through v8.4.4

Prevention

Upgrade to Notepad++ version v8.4.5

Language: C++

Good to know:

icon
icon

Uncontrolled Search Path Element

CWE-427
icon

Upgrade Version

Upgrade to version v8.4.5

Learn More

Base Score:
Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): Required
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High