Multiple Vulnerabilities in Notepad++ Allow Attackers to Perform Arbitrary Code Execution

Posted by Author Diksha Ojha on Posted on

Notepad++ is vulnerable to multiple buffer overflow vulnerabilities that may allow attackers to execute arbitrary code on target systems. The CVEs are being tracked as CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, and CVE-2023-40166. These vulnerabilities’ severity ratings and CVSS scores range from 5.5 (Medium) to 7.8 (High). Jaroslav Lobačevski discovered the vulnerabilities from GHSL.

Don Ho developed Notepad++. It is an open-source C++-based source code editor. Notepad++ supports tabbed editing and works with multiple files in a single window.

CVE-2023-40031: Heap buffer write overflow in Utf8_16_Read::convert

UTF8_16_Read::convert is a function that converts UTF16 to UTF8 encoding. This function is flawed because it considers that three UTF8 encoded bytes are required for every two UTF16 encoded bytes. A buffer overflow occurs if the number of bytes is set to an odd number, such as nine, because this will make the calculation incompatible.

CVE-2023-40036: Global buffer read overflow in CharDistributionAnalysis::HandleOneChar

The vulnerability arises due to the dependency of array index order on the size of the mCharToFreqOrder buffer. An attacker may exploit this vulnerability by creating a specially crafted file leading to a Global buffer read overflow. Notepad++ also uses the uchardet library, which helps in the exploitation.

CVE-2023-40164: Global buffer read overflow in nsCodingStateMachine::NextState

The divergent copy of uchardet library used by Notepad++ was discovered to be vulnerable to a global buffer read overflow. An attacker may create a specially designed file and can take advantage of the fact that the array index byteCls depends on the size of the charLenTable buffer.

CVE-2023-40166: Heap buffer read overflow in FileManager::detectLanguageFromTextBegining

When opening a file, Notepad++ uses the functions FileManager::loadFile and FileManager::loadFileData to create a fixed-size buffer and load the first data block into the buffer, respectively.

It then calls detectLanguageFromTextBeginning to determine the content type of the file’s starting point. A buffer overflow occurs due to the loop FileManager::detectLanguageFromTextBeginning failing to verify that the i+longestlength is smaller than dataLen.

Affected Versions

The vulnerabilities affect Notepad++ version 8.5.6 and prior.

Mitigation

Customers must upgrade to Notepad++ version 8.5.7 to patch the vulnerabilities.

Qualys Detection

Qualys customers can scan their devices with QID 378819 to detect vulnerable assets. 

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://notepad-plus-plus.org/downloads/v8.5.6/
https://cybersecuritynews.com/multiple-notepad-flaw/
https://securitylab.github.com/advisories/GHSL-2023-092_Notepad__/#resources

Leave a Reply

Your email address will not be published. Required fields are marked *