3

Notepad++ acknowledged this DLL hijack vulnerability: https://wikileaks.org/ciav7p1/cms/page_26968090.html I don't get from the description how it works. As a Notepad++ user I am concerned and as a developer myself I am curious too.

There is a general DLL hijack explanation here - What is dll hijacking?. A bit too general.

Does it mean that to effectively exploit this vulnerability the attacker has to first have control over my PC, using a different vector of attack, to plant a malicious version SciLexer.dll (?) into DLL search path?

If the attacker have already such power over my PC why he would bother with Notepad++. Why not to go after more core libraries or even system ones?

I also don't get implications of this remark in the WikiLeak text: For the life of me, I couldn't get this function [Scintilla_DirectFunction(..)] to be called. If this is the only exported function in that DLL, the only one called by Notepad core, how come that is is not called? That would mean also that malicious code would not be called either.

Was hacked SciLexer.dll ever actually detected, hacked by CIA or anyone else, or it is only a discovered possibility?

Also Notepad++ team in the latest release 7.3.3, in release notes claims that they "Fix CIA Hacking Notepad++ issue". Any ideas how they could do it?

Community
  • 1
  • 1
Espinosa
  • 2,491
  • 24
  • 28
  • In my opinion you are correct that an attacker that can hijack that specific DLL already owns the machine. Notepad++ fix is just a knee jerk reaction to the publicity with little to none actual security improvement. – Gur Mar 27 '17 at 13:40
  • Here the note from Notepadd++: https://notepad-plus-plus.org/news/notepad-7.3.3-fix-cia-hacking-issue.html – Paco Abato Apr 13 '17 at 10:50

1 Answers1

6

A DLL hijacking attack is simple: Consider your download directory that contains many files.

If someone manages to make you download the manipulated SciLexer.dll dll it will be most likely be downloaded into your download directory. You don't do anything with the file after download, the file just remains where it has been downloaded.

Later you download a txt file from somewhere on the net and this file is also placed in the download directory.

If you now open the explorer and double click the downloaded txt file the current directory is the download directory. The dll hijack vulnerable Notepad++ version would then search for the SciLexer.dll file to be loaded in the current directory (which is now the download directory). Therefore Notepad++ would load the manipulated SciLexer.dll that you downloaded previously.

Regarding the fix you can look at the source code changes that fixes the bug. It seems like the Nodepad++ team changed the way this dll is loaded and additionally they added a certificate check of the SciLexer.dll.

Robert
  • 39,162
  • 17
  • 99
  • 152
  • 4
    Except for the fact that SciLexer.dll is located in the same directory of Notepad++ directory which is the 1st priority for LoadLibrary so hijacking it is not that easy. – Gur Mar 27 '17 at 13:37
  • Thanks. I a bit doubt that a current directory, where documents are read from, was ever in library search path. That would smell like error. And as Gur pointed out, installation directory is the top priority place to look and and as it is usually there after very (?) installation it would be near impossible to exploit. Fells that this "leak" is a bit of a storm in a teaspoon. – Espinosa Mar 27 '17 at 17:39
  • Thank you for link to the sources. It looks like the only change implemented so far is to check certificate. – Espinosa Mar 27 '17 at 17:42
  • 1
    If I got it correctly, the point here is that it is much easier to trick me to download a single infected DLL file (no installation, no admin rights necessary, easy to overlook in directory full of documents) then an infected full Notepad++ (heightened awareness when having to install a SW). – Espinosa Mar 27 '17 at 17:49