Bugtraq mailing list archives
Re: WordPad/riched20.dll buffer overflow
From: core.lists.bugtraq () CORE-SDI COM (Gerardo Richarte)
Date: Thu, 18 Nov 1999 18:45:25 -0300
Pauli Ojanpera wrote:
Just if someone needs to know... Win98/NT4 Riched20.dll (which WordPad uses) has a classic buffer overflow problem with ".rtf"-files. Crashme.rtf : {\rtf\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA} A malicious document may probably abuse this to execute arbitary code. WordPad crashes with EIP=41414141. Someone else do deeper investigation since I don't care to.
I've been trying to determine if it's exploitable, and couldn't reproduce what you described. I want to know if there is some other information I need to know... here is what I tried: an rtf file with {\rtf\AAAAAAAAA...} a lot of As (tryed 32,49,1000,2000,... 5000... 20000) nothing happened until 5000, where I got a crash but not with EIP== 0x41414141 but with ESI==0x41414141 on a 'push [esi]'. ESI was copyed previously from the stack, but on the stack there where only 4 As here, 8 As there, a so... then on 10000 As I got a different crash, with EDI==0x41414141, but never got EIP==0x41414141. Anyway, it MAY be exploitable, but doesn't look simple... Then I tryed a differen aproach I got http://www.securityfocus.com, I used a real rtf file and appended the same amount (32,49,...) of As after the first '\', but got exactly the same results... could anybody reproduce this bug? richie -- A390 1BBA 2C58 D679 5A71 - 86F9 404F 4B53 3944 C2D0 Research and Developemen - CoreLabs - Core SDI (Information Security) http://www.core-sdi.com --- For a personal reply use gera () core-sdi com
Current thread:
- WordPad/riched20.dll buffer overflow Pauli Ojanpera (Nov 18)
- Re: WordPad/riched20.dll buffer overflow Bronek Kozicki (Nov 18)
- Re: WordPad/riched20.dll buffer overflow Gerardo Richarte (Nov 18)
- Re: WordPad/riched20.dll buffer overflow Gerardo Richarte (Nov 24)
- (no subject) Swen Persson (Nov 24)
- Re: WordPad/riched20.dll buffer overflow Gerardo Richarte (Nov 24)
- Re: WordPad/riched20.dll buffer overflow pedward () WEBCOM COM (Nov 26)
- Re: WordPad/riched20.dll buffer overflow Christopher Rhodes (Nov 26)
- Re: WordPad/riched20.dll buffer overflow Glynn Clements (Nov 27)
- SCO su patches Alfred Huger (Nov 28)
- Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow UNYUN (Nov 29)
- Page table protection on Intel Jason Spence (Nov 26)
- SuSE Security Announcement - new security tools Marc Heuse (Nov 26)