Notepad++ DLL Hijacking Vulnerability in Version 8.8.3

A DLL hijacking vulnerability has been identified in Notepad++ version 8.8.3. This vulnerability allows an attacker to replace the original DLL file with a malicious one, which can then be executed when Notepad++ is run. The issue arises from the way Notepad++ handles DLL files in its plugins directory.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary code with the same privileges as the user running Notepad++.

Reproduction

To reproduce this vulnerability, install Notepad++ version 8.8.3 using the 64-bit installer. After installation, navigate to the Notepad++ plugins directory and locate the NppExport.dll file. Replace this file with a malicious DLL of the same name, ensuring that the malicious DLL is crafted to execute the desired payload while forwarding the original export function to the legitimate DLL. Once the replacement is made, launch Notepad++.exe, and the malicious code will be executed, demonstrating the DLL hijacking vulnerability.