Notepad++ versions 8.5.4 and earlier are vulnerable to DLL hijacking, which allows attackers to execute arbitrary code by placing any of the following DLLs in the same directory as notepad++.exe:

• C:\Program Files\Notepad++\MSASN1.dll
• C:\Program Files\Notepad++\TextShaping.dll
• C:\Program Files\Notepad++\iertutil.dll

Steps to Reproduce the Issue

1. For identifying the called DLLs that are not found during the execution, the following filters can be used in Process Monitor Sysinternals tool:

2. After monitoring the process, the DLLs marked with red were found as exploitable:

3. For testing the attack, a DLL file was created with Cobalt Strike, renamed as MSASN1.dll and placed in C:\Program Files\Notepad++\MSASN1.dll using the PowerShell command:

Copy-Item .\test.dll "C:\Program Files\Notepad++\MSASN1.dll"

4. Stop and Start notepad++ process with the commands:

Stop-Process -Name notepad++
Start-Process -FilePath "C:\Program Files\Notepad++\notepad++.exe"

5. A reverse shell (beacon) is obtained in Cobalt Strike:

6. Performing cleanup with the following commands:

Stop-Process -Name notepad++
Remove-Item "C:\Program Files\Notepad++\MSASN1.dll"

7. The process is the same for hijacking the DLLs:

C:\Program Files\Notepad++\TextShaping.dll
C:\Program Files\Notepad++\iertutil.dll 

Expected Behavior

notepad++.exe application should not look during runtime for inexistent DLLs.

Actual Behavior

notepad++.exe application is loading and executing the malicious provided DLLs leading to arbitrary code execution.

Note: All of the NOT FOUND DLLs were tested but the other did not worked due to the entry points generating errors during runtime.