Notepad Next Arbitrary Code Execution Vulnerability via Lua Injection in Filename Extensions

A vulnerability allowing arbitrary code execution has been identified in Notepad Next, a cross-platform reimplementation of Notepad++. This issue affects versions prior to 0.14. The vulnerability arises in the 'detectLanguageFromExtension()' function, which improperly interpolates file extensions into a Lua script without any sanitization. An attacker can exploit this by crafting a filename with a malicious extension that includes Lua code. When the file is opened in Notepad Next, the injected code executes automatically. The exploitation is facilitated by the unconditional invocation of 'luaL_openlibs()', which grants the injected code access to the full 'os', 'io', and 'package' libraries, enabling arbitrary command execution.

Impact

Exploitation of this vulnerability allows for arbitrary code execution under the user's privileges. The injected Lua code can execute commands with the same rights as the user running Notepad Next, potentially leading to unauthorized actions or access to sensitive information.

Reproduction

To reproduce this vulnerability, create a file with a name that includes Lua code in the extension. The Lua code should be encoded using decimal escape sequences to bypass filename restrictions. Once the file is created, open it in Notepad Next. The application will execute the Lua code, resulting in arbitrary code execution on the system.

Remediation

Users can update to Notepad Next version 0.14 or later, where this vulnerability has been patched.