{"id":9946,"date":"2019-06-02T03:37:47","date_gmt":"2019-06-02T01:37:47","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=9946"},"modified":"2019-06-02T03:37:47","modified_gmt":"2019-06-02T01:37:47","slug":"windows-notepad-hack-allows-shell-access","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2019\/06\/02\/windows-notepad-hack-allows-shell-access\/","title":{"rendered":"Windows Notepad hack allows shell access"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"https:\/\/www.borncity.com\/blog\/2019\/06\/02\/windows-notepad-hack-ermglicht-shell-zugriff\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]Tavis Ormandy of Google's Zero project has found a bug in the Windows Notepad editor that gives him shell access. This can be used to attempt an attack on a Windows system. Here is some information about this vulnerability. <\/p>\n<p><!--more--><\/p>\n<p>Tavis Ormandy is one of the security researchers of Google's Zero project and has found some vulnerabilities in products, including Windows, in the past. In a tweet, he points to a new vulnerability.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"de\">\n<p lang=\"en\" dir=\"ltr\">Am I the first person to pop a shell in notepad?  &#8230;.believe it or not, It's a real bug!  <a href=\"https:\/\/t.co\/t2wTh7E93p\">pic.twitter.com\/t2wTh7E93p<\/a><\/p>\n<p>\u2014 Tavis Ormandy (@taviso) <a href=\"https:\/\/twitter.com\/taviso\/status\/1133384839321853954?ref_src=twsrc%5Etfw\">28. Mai 2019<\/a><\/p><\/blockquote>\n<p><span id=\"preserve6a5b50a769b149ad8e470e0e1e29434c\" class=\"wlWriterPreserve\"><SCRIPT charset=\"utf-8\" src=\"https:\/\/platform.twitter.com\/widgets.js\" async><\/SCRIPT><\/span> <\/p>\n<p>At <a href=\"https:\/\/threatpost.com\/researcher-exploits-microsofts-notepad-to-pop-a-shell\/145242\/\" target=\"_blank\" rel=\"noopener noreferrer\">Threadpost.com<\/a> you can find more information about this vulnerability, which probably exists since 1985 in all versions of the Windows editor. A memory corruption bug (memory overflow) in the Windows Notepad editor can be used to open remote shell access. A shell access in the form of a command prompt is usually a first step for attackers attempting to invade a system.<\/p>\n<h2>Disclosure of vulnerability in 90 days<\/h2>\n<p>Tavis Ormandy has published nothing but the tweet on this vulnerability. Users then suspected on Twitter that he had right-clicked on cmd.exe in the Open dialog box. He writes about this:<\/p>\n<blockquote>\n<p>All I can say it's a serious security bug, and we've given Microsoft up to 90 days to address it (as we do with all the vulns we report). That's all I can share,<\/p>\n<\/blockquote>\n<p>So there is some mechanism by which you can abuse the editor. Microsoft has been informed and now has 90 days to patch Notepad. However, Chaouki Bekrar, founder of Zerodium, a company that buys zero-day vulnerabilities, contradicts in the following tweet.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"de\">\n<p lang=\"en\" dir=\"ltr\">No Tavis, you're not the first person to pwn notepad with a nice memory corruption BUT you're probably the first one to report it to MS ;-)<a href=\"https:\/\/t.co\/udQGduVpKO\">https:\/\/t.co\/udQGduVpKO<\/a><\/p>\n<p>\u2014 Chaouki Bekrar (@cBekrar) <a href=\"https:\/\/twitter.com\/cBekrar\/status\/1133705401063448576?ref_src=twsrc%5Etfw\">29. Mai 2019<\/a><\/p><\/blockquote>\n<p><span id=\"preserveb7430d70b5484041ba94f739de9fbaef\" class=\"wlWriterPreserve\"><SCRIPT charset=\"utf-8\" src=\"https:\/\/platform.twitter.com\/widgets.js\" async><\/SCRIPT><\/span> <\/p>\n<p>There have probably been hacks of the notepad in the past, but these exploits were never reported to Microsoft or made public. <\/p>\n<h2>Security researchers are amazed<\/h2>\n<p>'It's impressive to make this attack work at all,' said Dan Kaminsky, chief scientist and founder of White Ops. \"Notepad has such a small attack surface that it is remarkable that it is still sufficient to allow an attacker to execute arbitrary code. That's not to say that given Notepad's small attack surface, there's no room for anything that goes wrong.\"<\/p>\n<p>For many security researchers, \"popping a shell\", i.e. opening a command prompt, doesn't seem to be known about Notepad yet &#8211; at least nothing is documented. The term \"popping a shell\" is an abbreviation for an attack in which the opponent exploits a computer and gains remote access via a shell connection. Further details can be found in the <a href=\"https:\/\/threatpost.com\/researcher-exploits-microsofts-notepad-to-pop-a-shell\/145242\/\" target=\"_blank\" rel=\"noopener noreferrer\">threadpost.com article<\/a>. (<a href=\"https:\/\/mspoweruser.com\/googles-project-zero-hacks-windows-notepad-to-offer-remote-shell-access\/\" target=\"_blank\" rel=\"noopener noreferrer\">via<\/a>)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Tavis Ormandy of Google's Zero project has found a bug in the Windows Notepad editor that gives him shell access. This can be used to attempt an attack on a Windows system. Here is some information about this vulnerability.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[69,194],"class_list":["post-9946","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-security","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/9946","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=9946"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/9946\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=9946"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=9946"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=9946"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}