Notepad++ And Unsigned DLLs

TH Team
TH Team
Feb 22, 2019 · 8 min read

Introduction

As part of our Hunting Activities, we decided to Hunt for DLL Side Loading (T1073). We quickly identified that Notepad++ was loading unsigned DLLs. Notepad++ being a common tool to edit files on end points, we pondered whether to whitelist its DLLs but decided not to whitelist applications unless we are 100% certain there is no risk. As part of our Hunting Process we make hypotheses regarding various possible vectors of attack in our network. In the case of Notepad++, we made some research to see if it could be exploited as we had not built any alert specifically targeting the exploitation of well-known third-party software. Some of us had heard of malicious plugins (DLL), so we decided to search the web for documented cases of exploitation. Our investigations lead us to discover that several older versions of Notepad++ were vulnerable to an attack called DLL Hijacking (T1038). We identified a few end points that had versions of Notepad++ that were vulnerable. We decided to write a proof of concept exploit to demonstrate how an adversary could leverage this flaw on the affected end points and to help us build automated detection for future occurrence of this type of behavior. The finding made us aware of the risks of having third-party application installed on our end points and that blindly whitelisting unsigned DLLs was a bad idea. In this article, we will review the technical background and the Hunting Process that lead us to find the vulnerability and improve our detection.

What is a DLL and why do we want to monitor them?

In order to understand this attack vector, it was necessary to go back to Windows internals. Much of the functionalities of the Windows operating system comes from dynamic linked libraries. According to Microsoft, the reason for using shared libraries (DLLs) is to promote code reuse, modularization and faster loading of libraries shared by multiple applications. Microsoft binaries rely on DLLs for proper functionality. They thus are a persistent attack vector; the core architecture would have to change to address the issue. In recent years, Windows has moved on to a new model to ensured that loaded libraries are verified such as signing, manifest checks and other techniques, however, there are still a lot of DLLs on the system that are not covered by the new security mechanisms. Furthermore, third-party developers do not implement those checks systematically.

When a Windows program is compiled, it either includes static libraries or loads them at run time. Most of the System’s DLLs are in C:\Windows\System32\ or C:\Windows\SysWow64\, as for third-party applications, they are situated in local folders such as \Program Files\. In the following image, you can see the Windows DLLs that are loaded along by Notepad++ in Dependency Walker.

What is DLL hijacking?

DLL Hijacking is a very effective way of running malicious code that attackers have exploited for a long time. When a Windows application runs, it loads libraries first from the local directory and then from the system directories. Thus, if an adversary replaces one of the real DLL of the application, the malicious DLL will be loaded by the application. The technique allows for persistence and execution of any arbitrary code, as the malicious code is executed every time the program is launched. It is stealthy because no extra binaries are used in the attack and the code runs in memory. The adversary thus gains several advantages; they leave no easily observable process of their own, no autorun keys, no registry change, no scheduled task and no service. DLL Hijacking can bypass firewall rules if the binary that loads the DLL is allowed through the firewall. It removes the need for noisy techniques such as process injection. There are even tools to automate the process and sophisticated attacks that include the code of the real DLL to the fake one in other to prevent the application from crashing (see: https://hi.cybereason.com/hubfs/Siofra-Research-Tool-Cybereason.pdf).

In the case of Notepad++, there were still DLL hijacking potential exploits possible in 2017. It was notably reported, through the Shadow Broker leak, that the CIA had been using it for persistence and spying on its targets (see: https://www.ghacks.net/2017/03/09/notepad-7-3-3-update-fixes-cia-vulnerability/).

Hunting

In order to hunt, we build hypotheses, investigate the tools and techniques in the wild, examine our networks for suspicious activity and write queries and rules to alert us when malicious activity happens. When we noticed that unsigned DLLs were loaded alongside Notepad++ we thought, wait, what if these could be used for loading malicious code and hiding malicious actors’ activity. In our SysMon logs for Windows end points, we noticed a lot of activity for event id 7, which is for unsigned DLLs getting loaded.

Based on this information, we made the hypothesis that some end points may have older version of Notepad++ that may be vulnerable to a known or unknown attack. We thus started our hunting loop and started gathering information: what versions of Notepad++ were running, what hosts in our networks had the application installed and what exploits and vulnerabilities had been found in the past.

By searching the web, we found that SciLexer.dll, one of the two DLLs loaded by Notepad++ was one of the DLLs that was exploited by the CIA. Notepad++ on its official website says the following about version 7.3.3: (https://notepad-plus-plus.org/news/notepad-7.3.3-fix-cia-hacking-issue.html)

The issue of a hijacked DLL concerns scilexer.dll (needed by Notepad++) on a compromised PC, which is replaced by a modified scilexer.dll built by the CIA. When Notepad++ is launched, the modified scilexer.dll is loaded instead of the original one.
It doesn’t mean that CIA is interested in your coding skill or in your sex message content typed in Notepad++, but rather it prevents raising any red flags while the DLL does data collection in the background.

Looking online, we found that at least one group of researchers from Myanmar had successfully reproduced the exploit in a video on their website : http://core.yehg.net/lab/pr0js/advisories/dll_hijacking/notepad++/poc/movie/. We contacted the researchers to ask for their code and they replied with a link to another DLL hijack on exploit-db.com. This made us think we could maybe find a way of rewriting the exploit by looking at other DLL Hijacks in the database. Unfortunately, several exploits were present for older version of Notepad++, but none for 2017 and SciLexer.dll.

In order to test whether there was indeed a vulnerability in Notepad++ DLL loading mechanism, we decided to write a custom exploit. By browsing the exploit-db database, we found several examples of DLL hijacks to try. The simplest DLL hijack used the Windows library header which contains the Windows API functions and one method called DllMain. According to Microsoft, DllMain is an optional entry point into a DLL. It is called for each loaded DLL using the first thread of the process. Microsoft’s documentation says that this entry-point function should perform only simple initialization or termination tasks (https://docs.microsoft.com/en-us/Windows/desktop/DLLs/dllmain). From this information, we wrote our own short DLL.

The two DLLs situated in Notepad++’s directory.

For the proof of concept, we added an API call (WinExec) to ping google.com and exit the program. We dropped the custom DLL, renamed it to SciLexer.DLL and ran Notepad++. Notepad++ loaded the malicious SciLexer.dll, pinged google and exited as expected.

Detection

At this point the vulnerability had been proven and exploited, it thus made sense to find out if any of our end points were using a vulnerable version of Notepad++.exe. In order to do so, we examined the hashes of every instance of Notepad++ identified and sent them to virustotal.com. It helped us determine the versions of every instance installed in our environments. We found several installations with versions older than 7. We hypothesised that several of them may be vulnerable to the attack but we had to confirm it.

It turned out that over 60 hosts within our networks had a vulnerable version of Notepad++.exe installed. To confirm that the binaries installed were vulnerable, we downloaded all the versions under 7 identified by hash on virus total and ran our exploit against them. Notepad++.exe successfully opened the command prompt for every version under 7.

Mitigation and Alerting

After confirming that some of our end points had vulnerable version installed, we reached out to the owners of the systems and had them update to the latest version. We also made a Kibana query to receive alerts when end points use older versions of Notepad++.

Conclusion

It turned out that over fifty users (including some SysAdmins on servers) were using a vulnerable version of Notepad++.exe on a daily basis. Our Hunting Process helped us build a hypothesis and ask the right question: “Could unsigned DLL shipped with third-party application undermine the security of our network?” Even though we could not find an exploit online, we were able in this case to write a custom exploit, therefore we can assume that an insider or an adversary that infiltrated our network could have used similar attack vector to gain persistence. One of the takeaways from this hunt is that the installation of older applications should be monitored. Antiviruses cannot prevent this kind of attack. It is thus important to examine hashes of common software to ensure that older version, prone to attacks, are not being used. Another takeaway is that Virustotal is a useful resource to identify the version of a binary by looking up its hash. As the version appears in the details of an uploaded binary, Threat Hunters can download the required version to replay an attack that needs a specific version of a software found in their production environment.

FURTHER READING:

https://support.microsoft.com/en-ca/help/815065/what-is-a-dll
https://docs.microsoft.com/en-us/Windows/desktop/DLLs/dllmain
https://www.exploit-db.com/search?q=notepad%2B%2B
https://www.ghacks.net/2017/03/09/notepad-7-3-3-update-fixes-cia-vulnerability/
https://www.securityweek.com/free-tool-detects-exploits-dll-hijacking-vulnerabilities
https://notepad-plus-plus.org/news/notepad-7.3.3-fix-cia-hacking-issue.html
https://hi.cybereason.com/hubfs/Siofra-Research-Tool-Cybereason.pdf

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade