Flos Freeware Notepad2 Uncontrolled Search Path Vulnerability in PROPSYS.dll

A vulnerability exists in Flos Freeware Notepad2 version 4.2.25, specifically within an unknown function of the PROPSYS.dll library. This flaw creates an uncontrolled search path vulnerability, allowing local attackers to manipulate the DLL loading process. The issue arises because the application fails to securely load system DLLs by using relative paths or by properly managing the default Windows DLL search order. As a result, an attacker could place a malicious PROPSYS.dll in a directory that is prioritized over the legitimate System32 path. When Notepad2 loads the DLL, the malicious code is executed within the Notepad2 process, potentially leading to arbitrary code execution with the user's privileges.

Impact

Exploitation of this vulnerability allows for arbitrary code execution within the context of the Notepad2 process, using the privileges of the user running the application. This could enable an attacker to execute various malicious actions, such as installing persistent malware, stealing sensitive information like credentials or personal data, deploying ransomware, or compromising other systems on the network.

Reproduction

To reproduce this vulnerability, place a malicious PROPSYS.dll file in the same directory as the Notepad2 executable or in a user-writable location that precedes the System32 path in the DLL search order. When Notepad2 is launched, the application will load the malicious DLL, executing its contents within the Notepad2 process.