Windows Notepad hack allows shell access

[German]Tavis Ormandy of Google's Zero project has found a bug in the Windows Notepad editor that gives him shell access. This can be used to attempt an attack on a Windows system. Here is some information about this vulnerability.


Advertising

Tavis Ormandy is one of the security researchers of Google's Zero project and has found some vulnerabilities in products, including Windows, in the past. In a tweet, he points to a new vulnerability.

At Threadpost.com you can find more information about this vulnerability, which probably exists since 1985 in all versions of the Windows editor. A memory corruption bug (memory overflow) in the Windows Notepad editor can be used to open remote shell access. A shell access in the form of a command prompt is usually a first step for attackers attempting to invade a system.

Disclosure of vulnerability in 90 days

Tavis Ormandy has published nothing but the tweet on this vulnerability. Users then suspected on Twitter that he had right-clicked on cmd.exe in the Open dialog box. He writes about this:

All I can say it's a serious security bug, and we've given Microsoft up to 90 days to address it (as we do with all the vulns we report). That's all I can share,

So there is some mechanism by which you can abuse the editor. Microsoft has been informed and now has 90 days to patch Notepad. However, Chaouki Bekrar, founder of Zerodium, a company that buys zero-day vulnerabilities, contradicts in the following tweet.


Advertising

There have probably been hacks of the notepad in the past, but these exploits were never reported to Microsoft or made public.

Security researchers are amazed

'It's impressive to make this attack work at all,' said Dan Kaminsky, chief scientist and founder of White Ops. "Notepad has such a small attack surface that it is remarkable that it is still sufficient to allow an attacker to execute arbitrary code. That's not to say that given Notepad's small attack surface, there's no room for anything that goes wrong."

For many security researchers, "popping a shell", i.e. opening a command prompt, doesn't seem to be known about Notepad yet – at least nothing is documented. The term "popping a shell" is an abbreviation for an attack in which the opponent exploits a computer and gains remote access via a shell connection. Further details can be found in the threadpost.com article. (via)


Advertising

This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).