Notepad++ Format String Injection Vulnerability Allowing Application Crash and Information Disclosure

A format string injection vulnerability has been identified in Notepad++ version 8.9.3, both in the installer and portable editions. This vulnerability allows an attacker to cause a reliable application crash (denial-of-service) or leak stack and register contents by manipulating the 'nativeLang.xml' file, which is used for localization. The issue arises because the application fails to validate data from 'nativeLang.xml' before using it, enabling the injection of format specifiers that are interpreted by the 'wsprintfW' function, leading to memory access violations or unauthorized information disclosure.

Impact

Exploitation of this vulnerability causes Notepad++ to crash due to an access violation, as the 'wsprintfW' function incorrectly interprets garbage values from registers and the stack as pointers, accessing invalid memory addresses. Additionally, the vulnerability allows for the leakage of sensitive information, such as stack and register contents, through the application's Find Results panel.

Reproduction

To reproduce this vulnerability, replace the 'nativeLang.xml' file in the appropriate location with a crafted version that includes format specifiers. This can be done by downloading the 'formatstring_crash.xml' file, renaming it, and placing it in either the '%APPDATA%\Notepad++\nativeLang.xml' (for the installer version) or '<npp_directory>\nativeLang.xml' (for the portable version). After replacing the file, open Notepad++ and perform a search that triggers the vulnerability, such as 'Find All in Current Document'. Notepad++ will crash immediately, and if the payload includes certain format specifiers, it will leak register and stack information into the Find Results panel.

Remediation

Users are advised to update to Notepad++ version 8.9.4, which addresses this vulnerability.