CVE-2023-47452
📋 TL;DR
This CVE describes an untrusted search path vulnerability in Notepad++ 6.5 that allows local users to escalate privileges by placing a malicious msimg32.dll file in the current working directory. When Notepad++ loads this DLL instead of the legitimate system version, attackers can execute arbitrary code with elevated privileges. Only users running the vulnerable version of Notepad++ on Windows systems are affected.
💻 Affected Systems
- Notepad++
📦 What is this software?
Notepad\+\+ by Notepad Plus Plus
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full system control by executing arbitrary code with elevated privileges, potentially leading to complete system compromise, data theft, or installation of persistent malware.
Likely Case
Local user with limited privileges gains administrative access to the system, allowing them to install software, modify system settings, or access sensitive data.
If Mitigated
Attack fails due to proper file permissions, application sandboxing, or user awareness preventing DLL placement in vulnerable directories.
🎯 Exploit Status
Exploitation requires local access to place malicious DLL and knowledge of where Notepad++ will be executed from. The PoC demonstrates the technique clearly.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 6.5 (Notepad++ 6.6 and later)
Vendor Advisory: https://github.com/notepad-plus-plus/notepad-plus-plus
Restart Required: Yes
Instructions:
1. Download latest Notepad++ version from official website. 2. Uninstall current version. 3. Install updated version. 4. Restart system to ensure all instances are updated.
🔧 Temporary Workarounds
Restrict DLL loading from current directory
windowsConfigure Windows to prioritize system directories over current directory when loading DLLs
Set registry key: HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode to 1
Use application control policies
windowsRestrict Notepad++ from loading DLLs from untrusted locations using AppLocker or similar
🧯 If You Can't Patch
- Run Notepad++ only from trusted directories where users cannot write files
- Implement strict file permissions to prevent unauthorized users from placing DLLs in directories where Notepad++ is executed
🔍 How to Verify
Check if Vulnerable:
Check Notepad++ version: Open Notepad++ > Help > About Notepad++. If version is 6.5, you are vulnerable.Check Version:
notepad++ --version or check Help > About in GUIVerify Fix Applied:
Verify Notepad++ version is 6.6 or higher. Test by attempting to load a test DLL from current directory - should fail.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing DLL loading from unusual locations
- Process Monitor logs showing msimg32.dll being loaded from current directory instead of system32
Network Indicators:
- No network indicators - this is local exploitation only
SIEM Query:
EventID=7 (Image loaded) AND ImageLoaded contains 'msimg32.dll' AND NOT ImageLoaded contains 'system32' AND ProcessName contains 'notepad++'