Headline
CVE-2022-31901: GitHub - CDACesec/CVE-2022-31901
Buffer overflow in function Notepad_plus::addHotSpot in Notepad++ v8.4.3 and earlier allows attackers to crash the application via two crafted files.
****CVE-2022-31901****
- Denial Of Services (DOS) in Notepad++(x86) in 8.4.3 and before.
****Description****
- Vulnerability triggering, via opening two specially crafted text files (e.g. first.txt & second.txt) as input to notepad++.
As an illustrative example below, as of 11/07/2022, latest version of Notepad++(x86) is 8.4.3 is used.
Proof of Concept -
- Open the two example input files first.txt & second.txt in Notepad++ in any order.
Result :
Visual Studio 2019 Dump Analysis
Here we can see the problem to parse these files in ScintallComponent -> Editor.h -> Line number 690.
Root Cause Analysis
When notepad++ opens any file it calls a function notepad_plus::addHotSpot which creates heap memory with new operator and stores the return address in widetext variable TCHAR *wideText = new TCHAR[endPos - startPos + 1];. Since it requests for large allocation, new returns bad_alloc which is not handled in notepad++ and results in DoS.
So it can be said that, opening the two example files with Notepad++(x86) <= 8.4.3 is leading to Denial of Service.
Tested Versions
The vulnerability is tested to work on following version:
- Notepad++ 8.3.2 32-bit
- Notepad++ 8.3.3 32-bit.
- Notepad++ 8.4.0 32-bit.
- Notepad++ 8.4.1 32-bit.
- Notepad++ 8.4.2 32-bit.
- Notepad++ 8.4.3 32-bit.
Tested Environment
- Windows 11 - 22563.1000 64 bit
- Windows 10 - 10.0.19042.1586 64-bit
- Windows 10 - 10.0.19044.1706 64-bit
Update
- As of 05-01-2023, this issue still persists in the Notepad++ versions 8.4.8 (32-bit) and before.