DLL Hack in Notepad++

Joshua Hartwell

Apologies if this is the wrong forum to post this. Long-time Notepad++ user. Has anyone been made aware of this issue yet?

https://wikileaks.org/ciav7p1/cms/page_26968090.html

"The following DLL hijack works for both the portable and non-portable variants of Notepad++

Notepad++ loads Scintilla, a “code editing component” (and seperate project), from a DLL adjacent to its EXE called “SciLexer.dll”. This DLL exports only one funciton named “Scintilla_DirectFunction” at ordinal #1

The DLL does a lot of “set up” in ProcessAttach, so it is important to load the true DLL as soon as the hijack is loaded.

The exported function has the following prototype definition, according to the open source for Notepad++ online:

sptr_t __stdcall Scintilla_DirectFunction(ScintillaWin * sci, UINT iMessage, uptr_t wParam, sptr_t lParam)"

Claudia Frank

@Joshua-Hartwell

How would you, if you were the npp developer, try to avoid such a hack?
Keep in mind - npp being open source.

Cheers
Claudia

Joshua Hartwell

Hi Claudia:

I’m not sure if I understand the intention of your post. Are you inviting me to get involved in the development, are you admonishing me for sharing the link without proposing a solution, or are you suggesting that the bug cannot be fixed easily?

Claudia Frank

@Joshua-Hartwell

neither nor.
My first thought was to reply that this kind of issue isn’t solvable (from y point of view)
but then I thought maybe you have an idea how such issue can be addressed and I can learn from it ;-)

Cheers
Claudia

Joshua Hartwell

:-)

I don’t understand the exploit at all. I saw that one of my favorite programs was listed as exploitable, and rather than trying to (poorly) suss out how it works, I figured it would be better to send up a notification.

Reading it more closely, are they saying that the hack is to replace sciLexer.dll with a compromised .dll? If so, I can see how that would be difficult to address.

dail

are they saying that the hack is to replace sciLexer.dll with a compromised .dll? If so, I can see how that would be difficult to address.

This is my understanding as well…but I may be wrong. If this is the case then there isn’t anything specific to SciLexer.dll. In theory you could say any DLL is hijack-able if you replace it with something malicious.

GitHub issue: https://github.com/notepad-plus-plus/notepad-plus-plus/issues/3002

Claudia Frank

@Joshua-Hartwell

Yep, that’s what I understand too. :-)

But to be honest if I would be CIA or NSA I would go a different way.
Why not just copying a dll into the plugin directory?
The dll itself has to he code to hide its existence within the program.

Cheers
Claudia

donho

SciLexer.dll in Notepad++ distribution is signed.
Could it be a stable way to avoid Hack if Notepad++ checks the signature of SciLexer.dll before loading it?
Please let me know your thought.

Claudia Frank

@donho

Yes, as long as we can be sure that hacker hasn’t modified npp exe itself, meaning on client pc.
I assume from your point of view that is what you can do, provide a secure download with signed dlls.
But when the hacking code is already on the client pc than there is nothing you can do to prevent it
from replacing your exes or dlls as long as it finds a way to gather required privileges.

If you are concerned about possible hacks, I would think that creating a snooping plugin dll could be more harmful.
Because, from what I understand, there is nothing implemented which would avoid loading a dll which resides
within plugin directory, correct?

Cheers
Claudia

dail

I agree with Claudia. Being signed makes sure the user gets the correct download, but if SciLexer could be replaced/modified then it is safe to assume notepad++ is just as easily compromised.

Joshua Hartwell

So this “exploit” seems to be saying “if you have the ability to modify notepad++'s libraries and/or executable, here is a good place to plug in your malicious code?”

If so, then it doesn’t seem like much of an exploit to me.

botman99

I agree. It seems it would be much easier to get someone to download a malicious plugin DLL and install that than to try to replace SciLexer.dll with a malicious version.

donho

@Claudia-Frank said:

Yes, as long as we can be sure that hacker hasn’t modified npp exe itself, meaning on client pc.
I assume from your point of view that is what you can do, provide a secure download with signed dlls.
But when the hacking code is already on the client pc than there is nothing you can do to prevent it
from replacing your exes or dlls as long as it finds a way to gather required privileges.

Indeed. But in the case you’ve described, not only notepad++.exe, but any binary can be replaced - it is out of the scope of the description in Wikileaks page:
https://wikileaks.org/ciav7p1/cms/page_26968090.html

So in order to remedy the problem described in the link above, checking scilexer.dll before loading is a solution for me. Don’t you agree?

Regarding plugin issue, I’ll think about it.

Claudia Frank

@donho

Absolutely, sorry if I have confused you.
That’s exactly what I meant, the only thing you could do is
to have a secure download with the signed dlls.

Regarding the plugins, this could be difficult if we consider that
npp is also used with plugins developed but not used by public.

At my last job I was asked for writing one for their own purpose.
So I assume other do this as well.

Cheers
Claudia

donho

@Claudia-Frank said:

That’s exactly what I meant, the only thing you could do is
to have a secure download with the signed dlls.

Just want to be more clear:

1. DONE: to have a secure download (https)
2. DONE: with the signed dlls
3. TODO: notepad++.exe checks the certificate of scilexer.dll. If the certificate checking failed, then Notepad++ won’t be launched.

#3 is address to the problem mentioned in the Wikileaks.

dail

@donho said:

checking scilexer.dll before loading is a solution for me. Don’t you agree?

I don’t see this as a solution because notepad++.exe could just as easily be replaced and/or modified.

donho

@dail said:

I don’t see this as a solution because notepad++.exe could just as easily be replaced and/or modified.

True.
But I’m addressing to the problem mentioned in the Wikileaks.

Claudia Frank

@dail

but at that point, it isn’t in the responsibility of Don anymore, is it?

Cheers
Claudia

donho

@Claudia-Frank said:

but at that point, it isn’t in the responsibility of Don anymore, is it?

Good point :)

Claudia Frank

@donho said:

@Claudia-Frank said:

That’s exactly what I meant, the only thing you could do is
to have a secure download with the signed dlls.

Just want to be more clear:

1. DONE: to have a secure download (https)
2. DONE: with the signed dlls
3. TODO: notepad++.exe checks the certificate of scilexer.dll. If the certificate checking failed, then Notepad++ won’t be launched.

#3 is address to the problem mentioned in the Wikileaks.

Yes, from my point of view that’s the solution for this particular issue.

Cheers
Claudia