| tiêu đề | Flos Freeware Notepad2 4.2.25 Uncontrolled Search Path - DLL Hijacking with TextShaping.dll |
|---|
| Mô tả | Overview:
Notepad2 version 4.2.25 (x86) fails to securely load the system DLL "TextShaping.dll" by using a relative path or relying on the default Windows DLL search order without mitigation. This allows an attacker with local access to place a malicious TextShaping.dll in a directory that precedes the legitimate System32 path in the search order (such as the application's installation directory, current working directory, or a user-writable location alongside the Notepad2 executable). When the vulnerable Notepad2 process loads TextShaping.dll, the malicious DLL is executed in the context of the Notepad2 process. This results in arbitrary code execution with the privileges of the user running Notepad2 (typically standard user privileges), enabling actions such as installing persistence mechanisms, stealing data (e.g., keylogging or credential theft), dropping ransomware or other payloads, or pivoting to compromise additional systems on the network.
The attack leverages the trusted nature of the legitimate software to bypass user suspicion and potentially evade some antivirus detections, especially if the malicious DLL forwards calls to the genuine TextShaping.dll to maintain application functionality and avoid crashes.
Detail:
When notepad2.exe is launched, the application attempts to load the TextShaping.dll library. Due to the insecure DLL search order (prioritizing the current/working directory), it first checks for this DLL in the same directory as the executable. If the legitimate system version (from C:\Windows\System32 or similar) is not explicitly referenced by full path, and a malicious file is present locally, the vulnerable load occurs.
This way, we can exploit this by building a malicious TextShaping.dll containing reverse shell functionality (e.g., via msfvenom payload or custom DllMain code) and placing it in the same directory as notepad2.exe. Upon execution by the user, notepad2.exe loads the malicious DLL instead of the legitimate one, triggering the payload immediately. This results in the attacker's command-and-control (C2) server receiving an inbound reverse shell connection from the victim's machine, granting remote code execution in the context of the user's privileges.
Link POC: https://github.com/haehansa/Notepad2-Revershell-via-DLL-Hijacking/tree/main/4.2.25/TextShaping
Link video POC: https://drive.google.com/file/d/1w5-ztNIN28mPuidtjlsilKsKKQQNOiIJ/view |
|---|
| Nguồn | ⚠️ https://drive.google.com/file/d/1w5-ztNIN28mPuidtjlsilKsKKQQNOiIJ/view |
|---|
| Người dùng | haehanse (UID 95883) |
|---|
| Đệ trình | 07/03/2026 17:06 (cách đây 3 các tháng) |
|---|
| Kiểm duyệt | 21/03/2026 17:44 (14 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 352373 [Flos Freeware Notepad2 4.2.25 TextShaping.dll nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|