Vulnerability Development mailing list archives
Microsoft Word RTF parser buffer overflow
From: Pauli Ojanpera <pauli_ojanpera () HOTMAIL COM>
Date: Tue, 29 Aug 2000 13:49:37 EEST
LEGAL: By reading this mail you do agree that Microsoft sucks. Simple. and you also accept my crappy english on "as is" basis. learn finnish. ---------------------------------------------------- DISTRIBUTION: No corporate entity shall be eglible for a private preview of public information like the information this mail contains. Published for free use. I take all responsibility of the actions resulting from you reading this mail. Of course. ---------------------------------------------------- ACTUAL MESSAGE: I've tested this only with MS Word 97 but I suppose the same bug to be present in MS Word 2000 as they don't usually fix anything without bugging them. The RTF parser got a bug which can be triggered with a .rtf file like this: "{\rt" + 12000 'x''s + "}" With a ~12000 bytes long keyword you get a page fault at a position close enough to start inspecting the overflow.. keywords 1291-1400 bytes long are more interesting causing pointer errors in various places. An overly long numerical parameter to a keyword causes also the same overflow. i.e. "\keyword" + 12000 + '0''s Another bug I found was that they use a one byte long variable to store the keyword length. So if you append a string 256*n bytes long after a valid keyword, it gets treated as a normal keyword. Combining this, I was able to overwrite a word with a zero in a selectable memory offset but could embed only i.e. keyword: "\ansi"+dummystring_256_n_byteslong is treated as: "\ansi" Another bug I found is that the file is detected as a RTF file by the first four bytes of a file ("{\rt") rather than by a beginning "{" and a following "\rtf" keyword. So for example, the parser thinks that a file that begins with "{ \rtf" is not a valid rtf file while I suppose it to be valid. Another place the overflow bug triggers is in font and style sheet name definitions. i.e. in places where an empty word document stored as rtf has strins like "Times New Roman", "Normal", "Default Paragraph Font". There you can embed also zero bytes and others (not {,},\,;,cr or lf). Only problem is you can't have as long strings as with keywords because Winword page faults sooner in this case. Damn I tried hard to exploit it.. I'm still not abandoned all hope but I'm lacking motivation to try anymore. If this was too messy for you I'm not sorry you read this message this far. Thank you.. going to do something else now. I have had enough of it :) _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com.
Current thread:
- Microsoft Word RTF parser buffer overflow Pauli Ojanpera (Aug 29)
- Re: Microsoft Word RTF parser buffer overflow 3APA3A (Aug 30)
- <Possible follow-ups>
- Re: Microsoft Word RTF parser buffer overflow Sherrod, Andrew (Aug 30)