[German]Tavis Ormandy of Google's Zero project has found a bug in the Windows Notepad editor that gives him shell access. This can be used to attempt an attack on a Windows system. Here is some information about this vulnerability.
Advertising
Tavis Ormandy is one of the security researchers of Google's Zero project and has found some vulnerabilities in products, including Windows, in the past. In a tweet, he points to a new vulnerability.
Am I the first person to pop a shell in notepad? ….believe it or not, It's a real bug! pic.twitter.com/t2wTh7E93p
— Tavis Ormandy (@taviso) 28. Mai 2019
At Threadpost.com you can find more information about this vulnerability, which probably exists since 1985 in all versions of the Windows editor. A memory corruption bug (memory overflow) in the Windows Notepad editor can be used to open remote shell access. A shell access in the form of a command prompt is usually a first step for attackers attempting to invade a system.
Disclosure of vulnerability in 90 days
Tavis Ormandy has published nothing but the tweet on this vulnerability. Users then suspected on Twitter that he had right-clicked on cmd.exe in the Open dialog box. He writes about this:
All I can say it's a serious security bug, and we've given Microsoft up to 90 days to address it (as we do with all the vulns we report). That's all I can share,
So there is some mechanism by which you can abuse the editor. Microsoft has been informed and now has 90 days to patch Notepad. However, Chaouki Bekrar, founder of Zerodium, a company that buys zero-day vulnerabilities, contradicts in the following tweet.
Advertising
No Tavis, you're not the first person to pwn notepad with a nice memory corruption BUT you're probably the first one to report it to MS ;-)https://t.co/udQGduVpKO
— Chaouki Bekrar (@cBekrar) 29. Mai 2019
There have probably been hacks of the notepad in the past, but these exploits were never reported to Microsoft or made public.
Security researchers are amazed
'It's impressive to make this attack work at all,' said Dan Kaminsky, chief scientist and founder of White Ops. "Notepad has such a small attack surface that it is remarkable that it is still sufficient to allow an attacker to execute arbitrary code. That's not to say that given Notepad's small attack surface, there's no room for anything that goes wrong."
For many security researchers, "popping a shell", i.e. opening a command prompt, doesn't seem to be known about Notepad yet – at least nothing is documented. The term "popping a shell" is an abbreviation for an attack in which the opponent exploits a computer and gains remote access via a shell connection. Further details can be found in the threadpost.com article. (via)
