Microsoft: I have made Notepad✨
-
Microsoft: I have made Notepad
Security researchers: You fucked up a perfectly good plaintext editor is what you did. Look at it. It's got RCEs.
@tess
"RCE in notepad.exe"Oh, you mean you opened notepad to demonstrate your RCE?
"NO, RCE IN NOTEPAD.EXE"
ಠ_ಠ
-
> How could an attacker exploit this vulnerability?
>
> An attacker could _trick a user into clicking a malicious link_ inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.That’s not an RCE, is it?
@slotos @tess If I understand that text correctly, though not a security researcher, when they speak of unverified protocols and permission as that user they might be talking about Windows internal system protocols that can do things like change settings, not just basic shit like HTTP yeah? Or am I reading that wrong?
-
@slotos @HereToChewGum@fosstodon.org Which CVE do you mean exactly? The one titled "Windows Notepad App Remote Code Execution Vulnerability"?
@ipaschke Sure bud, now demonstrate an RCE scenario using this vulnerability.
Asking user to paste a text into an app and then click a certain part of it does not constitute an RCE. But what do I know, I’m not an infosec person, I just read what’s written and follow available sources.
-
@slotos @tess If I understand that text correctly, though not a security researcher, when they speak of unverified protocols and permission as that user they might be talking about Windows internal system protocols that can do things like change settings, not just basic shit like HTTP yeah? Or am I reading that wrong?
@x0 If other discussions around this are to be trusted, its using ShellExecute. So probably yes.
All in all, don’t click on interactive elements in random files opened in notepad.
-
Microsoft: I have made Notepad
Security researchers: You fucked up a perfectly good plaintext editor is what you did. Look at it. It's got RCEs.
@tess would never call it "good", but your point still stands -
Microsoft: I have made Notepad
Security researchers: You fucked up a perfectly good plaintext editor is what you did. Look at it. It's got RCEs.
@tess
they basically added a notepad:// handler that was string concatenated to a system call, like basic SQL-injections.
So a markdown file with (simplified)notepad://test.txt && c:\path\to\malware.exe
passed that to cmd.exe for execution.
The fix calls notepad.exe directly with passed-on param string.
-
@tess its a local client-side bug, not an rce, so really you can also mock them for doing some 15yo bug embellishment shit too
@0x00string @tess I have had personal experience with msrc liberally applying rce as well.
I get their argument. Because it can be triggered by a user clicking on a link to open remote content, they classify that as rce.
Pretty much any pattern where a user can be coerced remotely will likely get an rce tag is my guess.
But it does mean that other patterns of passive listening vulnerabilities can get watered down.
-
@0x00string @tess I have had personal experience with msrc liberally applying rce as well.
I get their argument. Because it can be triggered by a user clicking on a link to open remote content, they classify that as rce.
Pretty much any pattern where a user can be coerced remotely will likely get an rce tag is my guess.
But it does mean that other patterns of passive listening vulnerabilities can get watered down.
-
-
