DLL Hack in Notepad++

Claudia Frank

@donho

Yes, as long as we can be sure that hacker hasn’t modified npp exe itself, meaning on client pc.
I assume from your point of view that is what you can do, provide a secure download with signed dlls.
But when the hacking code is already on the client pc than there is nothing you can do to prevent it
from replacing your exes or dlls as long as it finds a way to gather required privileges.

If you are concerned about possible hacks, I would think that creating a snooping plugin dll could be more harmful.
Because, from what I understand, there is nothing implemented which would avoid loading a dll which resides
within plugin directory, correct?

Cheers
Claudia

dail

I agree with Claudia. Being signed makes sure the user gets the correct download, but if SciLexer could be replaced/modified then it is safe to assume notepad++ is just as easily compromised.

Joshua Hartwell

So this “exploit” seems to be saying “if you have the ability to modify notepad++'s libraries and/or executable, here is a good place to plug in your malicious code?”

If so, then it doesn’t seem like much of an exploit to me.

botman99

I agree. It seems it would be much easier to get someone to download a malicious plugin DLL and install that than to try to replace SciLexer.dll with a malicious version.

donho

@Claudia-Frank said:

Yes, as long as we can be sure that hacker hasn’t modified npp exe itself, meaning on client pc.
I assume from your point of view that is what you can do, provide a secure download with signed dlls.
But when the hacking code is already on the client pc than there is nothing you can do to prevent it
from replacing your exes or dlls as long as it finds a way to gather required privileges.

Indeed. But in the case you’ve described, not only notepad++.exe, but any binary can be replaced - it is out of the scope of the description in Wikileaks page:
https://wikileaks.org/ciav7p1/cms/page_26968090.html

So in order to remedy the problem described in the link above, checking scilexer.dll before loading is a solution for me. Don’t you agree?

Regarding plugin issue, I’ll think about it.

Claudia Frank

@donho

Absolutely, sorry if I have confused you.
That’s exactly what I meant, the only thing you could do is
to have a secure download with the signed dlls.

Regarding the plugins, this could be difficult if we consider that
npp is also used with plugins developed but not used by public.

At my last job I was asked for writing one for their own purpose.
So I assume other do this as well.

Cheers
Claudia

donho

@Claudia-Frank said:

That’s exactly what I meant, the only thing you could do is
to have a secure download with the signed dlls.

Just want to be more clear:

1. DONE: to have a secure download (https)
2. DONE: with the signed dlls
3. TODO: notepad++.exe checks the certificate of scilexer.dll. If the certificate checking failed, then Notepad++ won’t be launched.

#3 is address to the problem mentioned in the Wikileaks.

dail

@donho said:

checking scilexer.dll before loading is a solution for me. Don’t you agree?

I don’t see this as a solution because notepad++.exe could just as easily be replaced and/or modified.

donho

@dail said:

I don’t see this as a solution because notepad++.exe could just as easily be replaced and/or modified.

True.
But I’m addressing to the problem mentioned in the Wikileaks.

Claudia Frank

@dail

but at that point, it isn’t in the responsibility of Don anymore, is it?

Cheers
Claudia

donho

@Claudia-Frank said:

but at that point, it isn’t in the responsibility of Don anymore, is it?

Good point :)

Claudia Frank

@donho said:

@Claudia-Frank said:

That’s exactly what I meant, the only thing you could do is
to have a secure download with the signed dlls.

Just want to be more clear:

1. DONE: to have a secure download (https)
2. DONE: with the signed dlls
3. TODO: notepad++.exe checks the certificate of scilexer.dll. If the certificate checking failed, then Notepad++ won’t be launched.

#3 is address to the problem mentioned in the Wikileaks.

Yes, from my point of view that’s the solution for this particular issue.

Cheers
Claudia

dail

@Claudia-Frank

but at that point, it isn’t in the responsibility of Don anymore, is it?

Being signed ensures the right files get installed on the system. After that it is impossible for an exe to validate other files if it can’t validate itself first.

Claudia Frank

@dail

don’t get this - if the file is signed, can’t npp exe call a function to check scintillas signature again?
I mean, when a dll get’s signed it provides an unique stamp so before loading the library couldn’t
you check this stamp?

Cheers
Claudia

dail

can’t npp exe call a function to check scintillas signature again?

Yes it can. But if an attacker has access to SciLexer.DLL why wouldn’t they just attack notepad++.exe. There is never a case where notepad++.exe is from a privileged location and loads SciLexer.DLL from a non-privileged location.

I think we need to take a step back because this discussion doesn’t sound like it is specific to Notepad++ and Scintilla. There are programs every day that have to load DLLs and have to make sure they are valid.

Claudia Frank

Good point but isn’t the beauty of this hack that there is just one function call which needs to be passed through to get
the same privilege as the main process? If it is running unprivileged good but if user runs it as administrator …

You are right - loading a dll is a security issue and there is no safe way if MS doesn’t provide a way to run a program
in an encapsulated and signed environment. Something like CI+ or the HDMI content protection. But for this special issue,
I don’t see how it could be solved otherwise.

Maybe a blog worth reading
https://blogs.technet.microsoft.com/srd/2009/04/14/ms09-014-addressing-the-safari-carpet-bomb-vulnerability/

and there is one other issue which might be interesting. If the dll gets verified before load, this breaks npp for all
that use a different scintilla dll at the moment. I’m thinking about @cmeriaux for example.

Cheers
Claudia

Claudia Frank

Jfi - need to stay up early - I’m off.

Cheers
Claudia

dail

just one function call which needs to be passed through to get the same privilege as the main process?

That would assume you bypassed the Windows OS and got into the process space of Notepad++, which by then you have other issues ;)

Maybe a blog worth reading…

Will look at it tomorrow when I have a bit more time.

The safest solution would just be link the SciLexer statically instead of loading it dynamically but I’m not saying this is the right solution

donho

@dail

The safest solution would just be link the SciLexer statically instead of loading it dynamically but I’m not saying this is the right solution

Yes, you’re right. it’ll be in the roadmap. In the meantime, I will do the quick fix - checking the scilexer.dll before loading it.

donho

This headline is misleading. The DLL exists for CIA assets to use the cover app while it’s executing other code under the hood. From my reading, it’s not meant to be used against the person using notepad++, it’s to let them use notepad++ without raising any red flags while the DLL does data collection in the background. Those apps listed are the cover apps that look normal, the DLL hijack is to make them malicious with the knowledge of the operator.

ref: https://www.reddit.com/r/sysadmin/comments/5y0iqa/notepad_users_cia_has_had_a_dll_hijack_for_your/

@dail @Claudia-Frank
I agree that once users’ PC are compromised, the certificate checking is meaningless.
However, it makes harder (more job) to hack by checking certificate.
Just like knowing the lock is useless for people who are willing to go into my house, I still shut the door and lock it every morning when I leave home.

We are in a f**king corrupted world! Sigh