Notepad++ Privilege Escalation Vulnerability in Installer via Insecure Executable Search Path

A privilege escalation vulnerability has been identified in the Notepad++ installer for versions through 8.8.1. This vulnerability allows unprivileged users to gain SYSTEM-level privileges by exploiting insecure executable search paths. The issue arises because the installer does not properly verify the location of executable dependencies, enabling attackers to place malicious executables that are executed with elevated privileges during installation. The vulnerability can be exploited with minimal user interaction, such as through social engineering or clickjacking.

Impact

Exploitation of this vulnerability allows unprivileged users to gain SYSTEM-level privileges, with the potential for arbitrary code execution under elevated rights. This could lead to unauthorized access to sensitive data, allow for lateral movement within a network, and enable the execution of malicious activities with high-level permissions.

Reproduction

To reproduce this vulnerability, download the Notepad++ v8.8.1 installer and place it in a directory that will be searched for executables, such as the Downloads folder. Simultaneously, download a malicious executable, such as regsvr32.exe, and place it in the same directory. When the Notepad++ installer is run, it will automatically execute the malicious executable with SYSTEM privileges, allowing for privilege escalation.

Remediation

Users can update to Notepad++ version 8.8.2, which addresses this vulnerability by modifying the installer to use absolute paths for executable dependencies, thereby preventing the exploitation of insecure search paths.