Re: WordPad/riched20.dll buffer overflow

[core.lists.bugtraq () CORE-SDI COM (Gerardo Richarte)]

Pauli Ojanpera wrote:
> Just if someone needs to know...
>
> Win98/NT4 Riched20.dll (which WordPad uses) has a classic buffer
> overflow problem with ".rtf"-files.
>
> Crashme.rtf :
> {\rtf\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA}
>
> A malicious document may probably abuse this to execute arbitary
> code. WordPad crashes with EIP=41414141.
>
> Someone else do deeper investigation since I don't care to.

        I've been trying to determine if it's exploitable, and couldn't
reproduce what you described. I want to know if there is some other
information I need to know... here is what I tried:

        an rtf file with

        {\rtf\AAAAAAAAA...} a lot of As (tryed 32,49,1000,2000,...
5000...
20000)

        nothing happened until 5000, where I got a crash but not with
EIP==
0x41414141 but with ESI==0x41414141 on a 'push [esi]'. ESI was copyed
previously from the stack, but on the stack there where only 4 As here,
8 As there, a so...
        then on 10000 As I got a different crash, with EDI==0x41414141,
but
never got EIP==0x41414141.

        Anyway, it MAY be exploitable, but doesn't look simple...

        Then I tryed a differen aproach I got
http://www.securityfocus.com, I used a real rtf file and appended
the same amount (32,49,...) of As after the first '\', but got exactly
the same results...

        could anybody reproduce this bug?

        richie

--
A390 1BBA 2C58 D679 5A71 - 86F9 404F 4B53 3944 C2D0
Research and Developemen - CoreLabs - Core SDI (Information Security)
http://www.core-sdi.com

--- For a personal reply use gera () core-sdi com