Flos Freeware Notepad2 Uncontrolled Search Path Vulnerability in TextShaping.dll Allowing DLL Hijacking

A vulnerability exists in Flos Freeware Notepad2 version 4.2.25, specifically within an unknown function of the TextShaping.dll library. This vulnerability creates an uncontrolled search path issue, allowing for DLL hijacking. The flaw requires local execution and involves a high level of complexity, making exploitation difficult.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution with the privileges of the user running Notepad2, typically standard user rights. This could allow an attacker to install persistent backdoors, steal sensitive information such as credentials or through keylogging, deploy ransomware or other malicious payloads, or compromise additional systems on the network.

Reproduction

To reproduce this vulnerability, place a malicious version of TextShaping.dll in a directory that is searched before the legitimate System32 path, such as the Notepad2 installation directory or a user-writable location. When Notepad2 is launched, it will load the malicious DLL instead of the legitimate one, executing any embedded payloads. This vulnerability can be exploited by creating a DLL that includes reverse shell functionality and placing it in the appropriate directory.