Bugtraq mailing list archives
Re: WordPad/riched20.dll buffer overflow
From: mnemonix () GLOBALNET CO UK (Mnemonix)
Date: Tue, 23 Nov 1999 16:16:56 -0000
----- Original Message ----- From: "Thomas Dullien" <dullien () gmx de> To: <bugtraq () securityfocus com>; "Mnemonix" <mnemonix () GLOBALNET CO UK> Sent: Tuesday, November 23, 1999 12:53 PM Subject: Re: [BUGTRAQ] WordPad/riched20.dll buffer overflow
On Sat, 20 Nov 1999 00:43:26 -0000, Mnemonix wrote:This is exploitable. On both Windows NT4 and Windows 2000 the payload can
be
It is not.
My assertion was based on a cursory look and the fact the return address _is_ overwritten. I'll bow to the greater and more indepth analysis of USSRLABS and Solar Eclipse. No doubt, however, there will be buffer overruns elsewhere within the application and not just after the {rtf1\AA...} part. I've not actually looked but if you do I can almost guarantee there will be more. Perhaps one of these will _not_ be restricted to A-Z and a-z and then it would have a chance of being exploitable. For example there is an {operator Name-Goes-Here} part of a windows RTF file. By doing {operatorAAA.... Name} or {operator AAAA...} may cause a buffer overrun - and one where the return address is overwritten and any characters are allowed. This is mostly conjecture however. Anyone with the time or inclination could check on this or any of the other rtf headers.
Windows 2000 preserves the case. Both OS's have the return address over-written so all you have do do is find an instruction in the memory space that does a JMP ESP - there are quite a few floating around the
place.
Not one lies within a range we can point EIP to.
Again, consider the above. The old adage "Seek and ye shall find" may be true here {or then maybe notAAAAAA....} ;-)
For anyone interested in NT buffer overruns some useful docs on the
subject
can be found at http://www.infowar.co.uk/mnemonixThomas Dullien dullien () gmx de Win32 Security Consultant ;-> Hire me !
Cheers, David Litchfield http://www.infowar.co.uk
Current thread:
- Default IE 5.0 security settings allow frame spoofing, (continued)
- Default IE 5.0 security settings allow frame spoofing Georgi Guninski (Nov 30)
- Re: WordPad/riched20.dll buffer overflow Jason Spence (Nov 28)
- TooRcon Computer Security Expo Announces Pre-Registration Ben (Nov 28)
- Re: WordPad/riched20.dll buffer overflow User SCOTT (Nov 18)
- Re: WordPad/riched20.dll buffer overflow - Full Details Solar Eclipse (Nov 21)
- Re: WordPad/riched20.dll buffer overflow Mnemonix (Nov 19)
- Re: WordPad/riched20.dll buffer overflow Solar Eclipse (Nov 22)
- Re: WordPad/riched20.dll buffer overflow Ron Parker (Nov 23)
- Re: WordPad/riched20.dll buffer overflow Solar Eclipse (Nov 22)
- Re: WordPad/riched20.dll buffer overflow Ussr Labs (Nov 19)
- Re: WordPad/riched20.dll buffer overflow Thomas Dullien (Nov 23)
- Re: WordPad/riched20.dll buffer overflow Mnemonix (Nov 23)
- Re: WordPad/riched20.dll buffer overflow Ussr Labs (Nov 23)