Microsoft Word RTF parser buffer overflow

[Pauli Ojanpera <pauli_ojanpera () HOTMAIL COM>]

LEGAL:

By reading this mail you do agree that Microsoft
sucks. Simple.

and you also accept my crappy english on "as is" basis.
learn finnish.

----------------------------------------------------
DISTRIBUTION:

No corporate entity shall be eglible for a private
preview of public information like the information
this mail contains.

Published for free use. I take all responsibility
of the actions resulting from you reading this mail.
Of course.

----------------------------------------------------
ACTUAL MESSAGE:

I've tested this only with MS Word 97 but I suppose
the same bug to be present in MS Word 2000 as they
don't usually fix anything without bugging them.

The RTF parser got a bug which can be triggered with
a .rtf file like this:
"{\rt" + 12000 'x''s + "}"

With a ~12000 bytes long keyword you get a page
fault at a position close enough to start inspecting
the overflow.. keywords 1291-1400 bytes long are more
interesting causing pointer errors in various places.

An overly long numerical parameter to a keyword
causes also the same overflow. i.e.
"\keyword" + 12000 + '0''s

Another bug I found was that they use a one byte long
variable to store the keyword length. So if you
append a string 256*n bytes long after a valid
keyword, it gets treated as a normal keyword. Combining
this, I was able to overwrite a word with a zero in a selectable memory
offset but could embed only

i.e. keyword: "\ansi"+dummystring_256_n_byteslong
is treated as: "\ansi"

Another bug I found is that the file is detected
as a RTF file by the first four bytes of a file
("{\rt") rather than by a beginning "{" and a
following "\rtf" keyword. So for example, the
parser thinks that a file that begins with
"{ \rtf" is not a valid rtf file while I suppose
it to be valid.

Another place the overflow bug triggers is in
font and style sheet name definitions. i.e.
in places where an empty word document stored
as rtf has strins like "Times New Roman", "Normal",
"Default Paragraph Font". There you can embed
also zero bytes and others (not {,},\,;,cr or lf).
Only problem is you can't have as long strings
as with keywords because Winword page faults sooner
in this case.

Damn I tried hard to exploit it.. I'm still not
abandoned all hope but I'm lacking motivation to
try anymore.

If this was too messy for you I'm not sorry you read
this message this far.

Thank you.. going to do something else now.
I have had enough of it :)

_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Share information about yourself, create your own public profile at
http://profiles.msn.com.