Community
    • Login

    DLL Hack in Notepad++

    Scheduled Pinned Locked Moved General Discussion
    44 Posts 13 Posters 57.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Claudia FrankC
      Claudia Frank @Joshua Hartwell
      last edited by

      @Joshua-Hartwell

      How would you, if you were the npp developer, try to avoid such a hack?
      Keep in mind - npp being open source.

      Cheers
      Claudia

      1 Reply Last reply Reply Quote 2
      • Joshua HartwellJ
        Joshua Hartwell
        last edited by

        Hi Claudia:

        I’m not sure if I understand the intention of your post. Are you inviting me to get involved in the development, are you admonishing me for sharing the link without proposing a solution, or are you suggesting that the bug cannot be fixed easily?

        Claudia FrankC 1 Reply Last reply Reply Quote 0
        • Claudia FrankC
          Claudia Frank @Joshua Hartwell
          last edited by

          @Joshua-Hartwell

          neither nor.
          My first thought was to reply that this kind of issue isn’t solvable (from y point of view)
          but then I thought maybe you have an idea how such issue can be addressed and I can learn from it ;-)

          Cheers
          Claudia

          1 Reply Last reply Reply Quote 0
          • Joshua HartwellJ
            Joshua Hartwell
            last edited by

            :-)

            I don’t understand the exploit at all. I saw that one of my favorite programs was listed as exploitable, and rather than trying to (poorly) suss out how it works, I figured it would be better to send up a notification.

            Reading it more closely, are they saying that the hack is to replace sciLexer.dll with a compromised .dll? If so, I can see how that would be difficult to address.

            Claudia FrankC 1 Reply Last reply Reply Quote 0
            • dailD
              dail
              last edited by

              are they saying that the hack is to replace sciLexer.dll with a compromised .dll? If so, I can see how that would be difficult to address.

              This is my understanding as well…but I may be wrong. If this is the case then there isn’t anything specific to SciLexer.dll. In theory you could say any DLL is hijack-able if you replace it with something malicious.

              GitHub issue: https://github.com/notepad-plus-plus/notepad-plus-plus/issues/3002

              1 Reply Last reply Reply Quote 1
              • Claudia FrankC
                Claudia Frank @Joshua Hartwell
                last edited by

                @Joshua-Hartwell

                Yep, that’s what I understand too. :-)

                But to be honest if I would be CIA or NSA I would go a different way.
                Why not just copying a dll into the plugin directory?
                The dll itself has to he code to hide its existence within the program.

                Cheers
                Claudia

                1 Reply Last reply Reply Quote 0
                • donhoD
                  donho
                  last edited by donho

                  SciLexer.dll in Notepad++ distribution is signed.
                  Could it be a stable way to avoid Hack if Notepad++ checks the signature of SciLexer.dll before loading it?
                  Please let me know your thought.

                  Claudia FrankC 1 Reply Last reply Reply Quote 0
                  • Claudia FrankC
                    Claudia Frank @donho
                    last edited by

                    @donho

                    Yes, as long as we can be sure that hacker hasn’t modified npp exe itself, meaning on client pc.
                    I assume from your point of view that is what you can do, provide a secure download with signed dlls.
                    But when the hacking code is already on the client pc than there is nothing you can do to prevent it
                    from replacing your exes or dlls as long as it finds a way to gather required privileges.

                    If you are concerned about possible hacks, I would think that creating a snooping plugin dll could be more harmful.
                    Because, from what I understand, there is nothing implemented which would avoid loading a dll which resides
                    within plugin directory, correct?

                    Cheers
                    Claudia

                    1 Reply Last reply Reply Quote 0
                    • dailD
                      dail
                      last edited by

                      I agree with Claudia. Being signed makes sure the user gets the correct download, but if SciLexer could be replaced/modified then it is safe to assume notepad++ is just as easily compromised.

                      1 Reply Last reply Reply Quote 0
                      • Joshua HartwellJ
                        Joshua Hartwell
                        last edited by

                        So this “exploit” seems to be saying “if you have the ability to modify notepad++'s libraries and/or executable, here is a good place to plug in your malicious code?”

                        If so, then it doesn’t seem like much of an exploit to me.

                        1 Reply Last reply Reply Quote 0
                        • botman99B
                          botman99
                          last edited by

                          I agree. It seems it would be much easier to get someone to download a malicious plugin DLL and install that than to try to replace SciLexer.dll with a malicious version.

                          1 Reply Last reply Reply Quote 0
                          • donhoD
                            donho
                            last edited by donho

                            @Claudia-Frank said:

                            Yes, as long as we can be sure that hacker hasn’t modified npp exe itself, meaning on client pc.
                            I assume from your point of view that is what you can do, provide a secure download with signed dlls.
                            But when the hacking code is already on the client pc than there is nothing you can do to prevent it
                            from replacing your exes or dlls as long as it finds a way to gather required privileges.

                            Indeed. But in the case you’ve described, not only notepad++.exe, but any binary can be replaced - it is out of the scope of the description in Wikileaks page:
                            https://wikileaks.org/ciav7p1/cms/page_26968090.html

                            So in order to remedy the problem described in the link above, checking scilexer.dll before loading is a solution for me. Don’t you agree?

                            Regarding plugin issue, I’ll think about it.

                            Claudia FrankC dailD 2 Replies Last reply Reply Quote 1
                            • Claudia FrankC
                              Claudia Frank @donho
                              last edited by

                              @donho

                              Absolutely, sorry if I have confused you.
                              That’s exactly what I meant, the only thing you could do is
                              to have a secure download with the signed dlls.

                              Regarding the plugins, this could be difficult if we consider that
                              npp is also used with plugins developed but not used by public.

                              At my last job I was asked for writing one for their own purpose.
                              So I assume other do this as well.

                              Cheers
                              Claudia

                              1 Reply Last reply Reply Quote 0
                              • donhoD
                                donho
                                last edited by donho

                                @Claudia-Frank said:

                                That’s exactly what I meant, the only thing you could do is
                                to have a secure download with the signed dlls.

                                Just want to be more clear:

                                1. DONE: to have a secure download (https)
                                2. DONE: with the signed dlls
                                3. TODO: notepad++.exe checks the certificate of scilexer.dll. If the certificate checking failed, then Notepad++ won’t be launched.

                                #3 is address to the problem mentioned in the Wikileaks.

                                Claudia FrankC 1 Reply Last reply Reply Quote 0
                                • dailD
                                  dail @donho
                                  last edited by

                                  @donho said:

                                  checking scilexer.dll before loading is a solution for me. Don’t you agree?

                                  I don’t see this as a solution because notepad++.exe could just as easily be replaced and/or modified.

                                  Claudia FrankC 1 Reply Last reply Reply Quote 0
                                  • donhoD
                                    donho
                                    last edited by

                                    @dail said:

                                    I don’t see this as a solution because notepad++.exe could just as easily be replaced and/or modified.

                                    True.
                                    But I’m addressing to the problem mentioned in the Wikileaks.

                                    1 Reply Last reply Reply Quote 0
                                    • Claudia FrankC
                                      Claudia Frank @dail
                                      last edited by

                                      @dail

                                      but at that point, it isn’t in the responsibility of Don anymore, is it?

                                      Cheers
                                      Claudia

                                      dailD 1 Reply Last reply Reply Quote 2
                                      • donhoD
                                        donho
                                        last edited by

                                        @Claudia-Frank said:

                                        but at that point, it isn’t in the responsibility of Don anymore, is it?

                                        Good point :)

                                        1 Reply Last reply Reply Quote 0
                                        • Claudia FrankC
                                          Claudia Frank @donho
                                          last edited by

                                          @donho said:

                                          @Claudia-Frank said:

                                          That’s exactly what I meant, the only thing you could do is
                                          to have a secure download with the signed dlls.

                                          Just want to be more clear:

                                          1. DONE: to have a secure download (https)
                                          2. DONE: with the signed dlls
                                          3. TODO: notepad++.exe checks the certificate of scilexer.dll. If the certificate checking failed, then Notepad++ won’t be launched.

                                          #3 is address to the problem mentioned in the Wikileaks.

                                          Yes, from my point of view that’s the solution for this particular issue.

                                          Cheers
                                          Claudia

                                          1 Reply Last reply Reply Quote 1
                                          • dailD
                                            dail @Claudia Frank
                                            last edited by

                                            @Claudia-Frank

                                            but at that point, it isn’t in the responsibility of Don anymore, is it?

                                            Being signed ensures the right files get installed on the system. After that it is impossible for an exe to validate other files if it can’t validate itself first.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            The Community of users of the Notepad++ text editor.
                                            Powered by NodeBB | Contributors