Researcher Exploits Microsoft’s Notepad to ‘Pop a Shell’

Google Project Zero researcher unearths a bug in Microsoft’s Notepad Windows application.

A memory corruption bug in the Microsoft’s Windows Notepad application can be used to open remote shell access – typically a first step for attackers infiltrating a system.

The bug was found by Tavis Ormandy, a bug hunter with Google’s Project Zero team. In a tweet he indicated that the bug was tied to a memory corruption flaw in Notepad, a basic text editor that has shipped on all versions of Windows since 1985.

“Am I the first person to pop a shell in notepad?” Ormandy asked in a tweet. He followed with, “This is a real memory corruption exploit, I’ve reported it to MSRC (Microsoft Security Response Center). Surprising number of people replied thinking I was just right clicking stuff…. I said ‘it’s a real bug’ 😆 It took me all weekend to find good CFG (Control Flow Guard) gadgets, just showing off.”

The researcher said more details of the bug would be revealed in 90 days, as part of Google’s Project Zero’s disclosure policy, or after Microsoft patches the bug.

“All I can say it’s a serious security bug, and we’ve given Microsoft up to 90 days to address it (as we do with all the vulns we report). That’s all I can share,” he wrote in a tweet dialogue on Friday.

It’s impressive to get this attack to work at all, said Dan Kaminsky, chief scientist and founder at White Ops. “Notepad is exposing so little of an attack surface it’s notable that it is still enough to give an attacker the ability to run arbitrary code,” Kaminsky said. “That’s not to say that given the little amount of what Notepad does there isn’t room for something to go wrong.”

For many researchers, “popping a shell” via the Notepad application is not something yet publicly documented. The term “popping a shell” is shorthand for describing an attack where the adversary exploits a computer and gain remote access via a shell connection.

Chaouki Bekrar, founder of Zerodium, a company that buys zero-day vulnerabilities, chimed in via Twitter saying that the Notepad application has been exploited in the past, just not publicly. In a tweet responding to Ormandy he wrote: “No Tavis, you’re not the first person to pwn notepad with a nice memory corruption BUT you’re probably the first one to report it to MS ;-)”

However, the bug’s impact is mooted in the context of a security threat, given a remote attacker would first have to trigger the launch Notepad then “pop” open a shell.

“Is this a benign thing? Or is this a real threat? Well, you have to ask yourself can an attacker cause Notepad to be launched, and to cause it to parse one of these files. Because if you can’t get to a specific application, it doesn’t matter if there’s a bug there,” Kaminsky said.

He noted that there have been older versions of Internet Explorer (IE 11) that could be manipulated in an attack scenario to launch Notepad. “But today, post IE mitigations, there is no way to launch Notepad on a system unless you’re sitting at the computer,” Kaminsky said.

Many researchers on Twitter weighing in on the bug came to the consensus that people shouldn’t run for the hills worried about Notepad as a potential threat vector.

“So one might think, okay, maybe you have access to corrupt the memory. But can you get around Control Flow Guard? Can you get around the ASLR? Can you get around all the things that we’ve done to try to help end users survive attacks? Even with those constraints, the answer is ‘no’ he still got it working,” Kaminsky said.

When asked what Ormandy might call his bug he said “NoteBad”.


Suggested articles


  • Eugene Zawadzki on

    It is possible to use the Instruction Pointer (a register containing the address of the next instruction to be executed) as a means to detect and repel an intruder. I estimate a 25 to 40% decrease in CPU throughput from monitoring the IPs for attempts by an unregistered process to assume control. I'm told that's too high a price to pay. My response has been that CPUs are cheap enough to dedicate one or more to protecting the rest. In fact, the protected assets need not even be on the sentinel machine.
  • 8itchy on

    Not remotely surprised. MS cares so little about Notepad they didn't bother fixing serious bugs for 25 years. Every single time you saved the file, it would rewind your cursor position by a fraction proportional to how much you typed since the last time you saved. If you're a compulsive saver, as everyone who's ever lost data is, it was an infuriating time waster. But I put up with it anyway, because MSWord is so obnoxious and slow and "helpful" that I'd rather use a buggy text editor from the 1980's. I use Notepadd++ now, so I'm happy to no longer have a dog in the fight against MS's crappy text editors.
  • AB on

    The Notepad source code is included as one of the sample apps included in the Windows SDK. It might be worth a look.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.