Notepad++ DLL Hijacking Vulnerability Let Attackers Execute Malicious Code

Comments

• ChairmanMeow@programming.dev ⁨4⁩ ⁨weeks⁩ ago

  One of the NPP maintainers responded with:

  Notepad++ & its plugins are installed in “Program Files” directory by default, which means hackers would need admin privileges to replace any plugin. If a hacker gains such privileges, they could also replace all the DLLs in the system32 folder. By the same logic, once Notepad++ is compromised in this way, any applications or executable binary (*.exe & *.dll) on the system could potentially be replaced. Or am I missing somethings?

  Which I suppose is true. You could argue it is a way to persist malicious code once you do have access, but it seems unlikely and not that useful. Low severity if anything.

  You’d need to have some general attack script that can adjust (or create proxies for) dlls maliciously on the fly, without prior knowledge of which dlls are encountered. Only in that case could the exe maybe detect malicious changes to the dll and stop execution. But a targeted attack using a compromised NPP distribution wouldn’t be covered with such a check.

  source
• davidagain@lemmy.world ⁨4⁩ ⁨weeks⁩ ago

  At first I thought “oh, I wonder if my favourite text editor is affected by a similar bug, and I wonder what actions make it vulnerable.”.

  Well, of turns out that the action that makes it vulnerable is installing separate malware with admin privileges. I will do my best to avert that danger, but I wouldn’t class “third party malware with admin privileges can replace part of this program with its own code” as a serious vulnerability in this software specifically.

  source