Death by Notepad: When a Text Editor Becomes a Remote Shell

Notepad. It is the cockroach of software—simple, indestructible, and omnipresent. For decades, it was just a wrapper for a text box. You couldn't break it because it didn't do anything. But in the infinite wisdom of modern software development, Microsoft decided Notepad needed to be 'modern.' It got tabs, it got CoPilot integration, and most fatally, it got a custom URI scheme: notepad://.

Why does a text editor need a URI scheme? Ostensibly, so web browsers and other apps can trigger it to open specific files or streams. It sounds convenient, like a digital concierge holding the door open for you. Unfortunately, this concierge is also drunk and letting in anyone who knows the secret knock.

This vulnerability is a classic case of feature creep meeting legacy insecurity. By exposing a local application to inputs from the wild web via a protocol handler, the attack surface expanded from 'local user opening a file' to 'remote attacker sending a string.' And as we'll see, Notepad wasn't ready for the conversation.

The root cause here is CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection'). In plain English? The application takes what you tell it and hands it to the operating system without checking if you're lying.

When you click a link like notepad://open?file=report.txt, Windows looks up the protocol handler and launches the Notepad UWP app, passing the arguments along. The modern Notepad app, likely running with runFullTrust capabilities to handle file system access, has to parse this string.

The fatal mistake was how the application handled the transition from the URI argument to the internal file-opening logic. Instead of treating the filename as a distinct, inert object, the code interpolated the input string into a command line execution context. They essentially built a bridge between the internet and cmd.exe, paved with good intentions and bad string concatenation.

Let's look at the likely pseudocode reconstruction of the vulnerable handler. This is based on the patch analysis where they moved from string-based execution to safe argument lists.

The Vulnerable Code (The 'Before'):

// Inside the Protocol Activation Handler
public void OnActivated(IActivatedEventArgs args) {
    var protocolArgs = (ProtocolActivatedEventArgs)args;
    string uriParams = protocolArgs.Uri.Query;
    
    // EXTRACT: simply parses the string after 'file='
    string filePath = ParseFileParam(uriParams);
    
    // THE SIN: String concatenation passed to a shell-aware launcher
    // They likely wanted to support legacy command line switches internally
    Process.Start("cmd.exe", "/c notepad-launcher.exe " + filePath);
}

Do you see it? If filePath contains "C:\file.txt" & calc.exe, the resulting command becomes: cmd.exe /c notepad-launcher.exe "C:\file.txt" & calc.exe

The ampersand (&) tells the shell: "Run the first thing, then run the second thing." Boom. You have RCE.

The Fixed Code (The 'After'):

// The Fix: Use ArgumentLists to prevent shell interpretation
public void OnActivated(IActivatedEventArgs args) {
    var protocolArgs = (ProtocolActivatedEventArgs)args;
    string filePath = ParseFileParam(uriParams);
 
    // SANITIZATION: Ensure it's actually a path
    if (!IsValidPath(filePath)) return;
 
    ProcessStartInfo psi = new ProcessStartInfo("notepad-launcher.exe");
    // The shell is bypassed entirely here
    psi.ArgumentList.Add(filePath);
    Process.Start(psi);
}

The patch does two things: it validates the input is actually a path, and critically, it uses the ArgumentList property (available in .NET Core/5+) which handles escaping automatically, treating the input as a single literal argument rather than a command string.

Exploiting this is trivially easy once the victim interacts. The vector is the URI handler, so we need to deliver a link. This bypasses the usual "Mark of the Web" protections because the browser explicitly hands off trust to the registered application.

The Attack Chain:

1. Craft the Payload: We want to open a dummy file to keep the user from getting suspicious, while silently running our payload. Payload: notepad://open?file="C:\Windows\System32\drivers\etc\hosts"&powershell -enc <MaliciousBase64>

2. Delivery: Send a phishing email: "URGENT: Please review the attached logs." The 'attachment' is actually a link styled to look like a file download.

3. Execution:

   • User clicks link.
   • Browser asks: "Open Windows Notepad?"
   • User clicks "Open".
   • Notepad launches.
   • cmd.exe spawns as a child process.
   • The & operator splits the command.
   • Notepad opens the hosts file (distraction).
   • Powershell executes the reverse shell in the background.

> [!NOTE] > Because the modern Notepad app is a UWP app with Full Trust, it inherits the user's full token. If the user is an Admin, you are an Admin.

RCE is always bad, but RCE in a default, trusted utility is a nightmare. Security tools (EDR/AV) often whitelist Microsoft signed binaries. Notepad.exe is one of the most trusted processes on the system. It is commonly used as a 'Living off the Land' (LOLBin) vector, but usually, that requires the attacker to already have access to run commands.

This vulnerability creates a Remote trigger for a local LOLBin. It bridges the gap between the browser and the system kernel.

• Ransomware: One click encryption of the user's documents folder.
• Persistence: The attacker can drop a startup script immediately.
• Data Exfiltration: Notepad has network capabilities (for cloud sync). It can be coerced to send data out.

This is not a theoretical academic flaw. It is a functional, weaponized exploit chain affecting millions of consumer and enterprise devices running Windows 10 and 11.

Fortunately, the fix is straightforward, provided your organization hasn't blocked the Microsoft Store (which, ironically, many enterprises do for 'security').

Immediate Action:

1. Open the Microsoft Store.
2. Go to Library > Get Updates.
3. Verify Windows Notepad is version 11.2510 or higher.

Enterprise Mitigation: If you cannot deploy the Store update immediately, you must break the kill chain. The easiest way is to unregister the protocol handler via Registry (GPO).

# PowerShell workaround to nuke the handler
Remove-ItemProperty -Path "HKCU:\Software\Classes\notepad" -Name "URL Protocol" -ErrorAction SilentlyContinue

This will break 'Open in Notepad' links from the web, but frankly, who actually uses those for legitimate business purposes?