Peeking Under the Hood of Modern Day Editors

Hello everyone, it’s been a while since my last post, almost a year actually. I got caught up with some real world stuff like working, studying and it did not leave me with much time to write blogs. So without further ado, let us get into this one.

So it all began while discussing red teaming a couple of weeks back at one of our monthly OWASP meetups and it dawned upon me that a lot of folks (including my self, guilty as charged), we use these modern day text editors installed or portable (Who has time to waste raising a ticket with the IT team to install an editor, am I right?) and these so called unsaved files maintain the content of what we write to it, despite of powered down state of a system. This led me to realize that these files are being stored somewhere in the system!

So, I decided to peek under the hoods of a few commonly used text editors and find which of these had this behavior, and where did they save these so called “unsaved” files.

Below is the list of commonly used text editors I played around with. (I focused on windows this time)

  1. Notepad++
  2. Sublime Text
  3. Brackets
  4. Geany
  5. Virtual Studio Code

3 out of these 5 text editors had the behavior of saving “unsaved” files!

Below are the paths, and other details of the text editors which exhibited the above behavior. I have also listed a powershell one-liner which fetches the contents of these files and writes it into the C:\Windows\Temp directory with file names respective to the text editor.

Notepad++, Sublime Text, and Visual Studio Code were the three editors to show this behavior. These are quite popular editor choices among technical and non-technical users alike, which makes it a lucrative target to find current and “forgotten” data which can help you in furthering your agenda.

Note: Here the example path for portable versions of the editors is considered to be the Downloads folder of the user.

Notepad++

Notepad++ stores data in different locations based on installation (system or portable). It creates a new file for every new tab created, each new tab starts with the string new, followed by a number.

Below is the list of Paths where Notepad++ saves this “unsaved” data, for version 7.8.5

Portable versions

  • 32-bit: C:\Users\{username}\Downloads\npp.7.8.5.bin\backup
  • 64-bit: C:\Users\{username}\Downloads\npp.7.8.5.bin.x64\backup

Installed versions

  • 32 & 64 bit : C:\Users\{username}\AppData\Roaming\Notepad++\backup\

The files in the paths above follow a pretty simple naming convention as follows;

new #@yyyy-mm-dd_hhmmss;

Example: new 2@2020-03-15_010203

Sublime Text Editor

Sublime also stores data in different locations based on installation (system or portable).

However, the interesting thing about sublime was, that unlike Notepad++ it did not create multiple files for each new file created in the editor. Instead, it stored all of it in a single file called Session.sublime_session which appears to have a JSON-like structure. In this file, each new file was stored in the buffers section under contents. The entire content was stored as a single line with \n as its separator for each new line in the buffer.

Below is the list of Paths where Sublime Text saves this “unsaved” data, for version 3 build 3211

Portable versions

  • 32-bit: C:\Users\{username}\Downloads\Sublime Text 3 Build 3211\Data\Local
  • 64-bit: C:\Users\{username}\Downloads\Sublime Text 3 Build 3211 x64\Data\Local

Installed versions

  • 32 & 64 bit : C:\Users\{username}\AppData\Roaming\Sublime Text 3\Local\

Visual Studio Code

Unlike Sublime and Notepad++, Visual Studio Code behaved differently, despite the nature of installation of the editor, it saved the unsaved data in the same path (It took me hours to figure this out for the portable versions of visual studio code). Additionally, the storage behavior of Visual Studio Code was also different. It created a random numeric folder, in which it housed the unsaved data; the catch? The file names here were random hexadecimals too!

Below is the list of Paths where Visual Studio Code saves this “unsaved” data, for version 1.4.30

Installed & Portable Versions

  • 32 & 64 bit : C:\Users\{username}\AppData\Roaming\Code\Backups\

Conclusion

If these text editors are being used for day-to-day purpose they could be housing sensitive information, For Example: Passwords, Usernames, IP addresses, tables, formatted data, notes, workflows and more. The data here though temporarily used, can have adverse impact from a security perspective. The data found here could be of interest to red teams and penetration testers while conducting assessment.

Powershell One-Liners

Notepad++

Get-ChildItem C:\ -Recurse -Force -ErrorAction SilentlyContinue  | Where-Object { !$PsIsContainer -and [System.IO.Path]::GetFileNameWithoutExtension($_.Name) -match "new ([0-9]{1,3})@" } | ForEach-Object { Get-Content $_.FullName | Add-content C:\Windows\Temp\npp.txt }

Sublime Text

Get-ChildItem C:\ -Recurse -Force -ErrorAction SilentlyContinue | Where-Object { !$PsIsContainer -and [System.IO.Path]::GetFileNameWithoutExtension($_.Name) -match "Session.sublime_session.lnk" -or ($_.Name) -match "Session.sublime_session" } | ForEach-Object { Get-Content $_.FullName | Select-String content | Add-content C:\Windows\Temp\subl.txt }

Visual Studio Code

Get-ChildItem $home\AppData\Roaming\Code\Backups -Recurse -Force -ErrorAction SilentlyContinue  | Where-Object { !$PsIsContainer -and [System.IO.Path]::GetFileNameWithoutExtension($_.Name) -match "\b([a-f0-9]){32}\b" } | ForEach-Object { Get-Content $_.FullName | Add-content C:\Windows\Temp\vsc.txt }

Thank you everyone for reading, please let me know your thoughts in the comments! or feel free to reach out to me on Twitter & LinkedIn!

A special thanks to my family & friends for their constant support and encouragement!

Until Next Time~

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s