Re: Riched20.DLL attribute label buffer overflow vulnerability

["Thor Larholm" <thor () pivx com>]

Since RTF files are opened and rendered automatically by Outlook Express and
Internet Explorer, this is remotely exploitable through mail and web.

I had some problems reproducing this on Windows 2000, anyone had better
luck?


Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher

Latest PivX research: Multi-Vendor Unreal Engine Advisory
http://www.pivx.com/press_releases/ueng-adv_pr.html


----- Original Message -----
From: "Jie Dong" <Thkrdev () yoursft com>
To: <bugtraq () securityfocus com>
Sent: Sunday, February 16, 2003 2:30 PM
Subject: Riched20.DLL attribute label buffer overflow vulnerability


>
===========================================================================
> =====
> Security Defence Stdio vulnerability announcement [001]
> Riched20.DLL attribute label buffer overflow vulnerability
> URL:http:\\www.yoursft.com
> Author: Thrkdev
> finds date&#65306;2003&#24180;2&#26376;1&#26085;
> Announce date&#65306;2003&#24180;2&#26376;14&#26085;
>
> Affected system:  Microsoft Windows 98
>     Microsoft Windows 2000
>     Microsoft Windows XP
>                Perhaps,this vulnerability was still in other operating
> system, but untest .
> EMAIL:   Thkrdev () yoursft com
> ------------------------------------------------------------------------
> Technical description:
>   A buffer overflow vulnerability exists in riched20.dll,which can result
> in the collapse
> of the application program that use the corresponding function of the DLL
> module, But it is
> very difficult to have the effect of allowing an attacker to execute
> commands on a user's system.
>
>    This problem exists in the analysed RTF file code, and there is an
> overflows when drawing
> figure-string( such as the size of the character) in the file form .This
> overflow seem not to
> be used for executing commands.
>    The following RTFfile may result in illegal operation  :
> {\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0
> \fnil\fprq2\fcharset134 \'cb\'ce\'cc\'e5;}}
> {\colortbl ;\red255\green0\blue255;}
> \viewkind4\uc1\pard\cf1\kerning2\f0
> \fs18121111111111111111111111111111111110000 www.yoursft.com\fs20\par
> }
> "\fs" was used for setting the size of the followingly
> words "www.yoursft.com".  when the figure-string
> that set the size of the fonts exceeding 1024byte(>1024b) , it Will cause
> the buffer overflow ;And when
> exceeding 65536byte(>65536b) it will probably cause crashing the
> application program.
> This promblom Not only appear in the setting of "\fs" , other attribute
> will have the same problem under
> the similar situation. And this following  RTF files Will also result in
> operating illegally :
>    {\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0
> \fnil\fprq2\fcharset134 \'cb\'ce\'cc\'e5;}}
> {\colortbl ;\red255\green0\blue255;}
> \viewkind4\uc1\pard\cf1\kerning2\f0121111111111111111111111111111111112222
> \fs180 www.yoursft.com\fs20\par
> }
> The terrible thing is nowadays lots of software was affected by this
> vulnerability. The attacker can send a
> malicious message that include exploiting the vulnerability, then when you
> read this message your program will be crashed.
>
> ------------------------------------------------------------------------
> Security Defence Stdio is a software development / technological websites,
> mainly developing NET security products ,
> the software of Security Defence Stdio --Trojan Ender--  receives users'
> extensive favorable comment