OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NTSecAdvice Archives: Re: WordPad/riched20.dll buffer overflow

Re: WordPad/riched20.dll buffer overflow


Doug Welsby (dougwelsbyVIDEOTRON.CA)
Fri, 19 Nov 1999 08:55:33 -0500


The problem occurs in Win 2000, RC2 Build 2128 as well.

Doug Welsby
dougwelsbyvideotron.ca

-----Original Message-----
From: Steve Manzuik [mailto:steveWIN2KSECADVICE.NET]
Sent: November 19, 1999 1:27 AM
To: WIN2KSECADVICELISTSERV.NTSECURITY.NET
Subject: WordPad/riched20.dll buffer overflow

Pauli Ojanpera posted the following to BugTraq

=====================
>
> Just if someone needs to know...
>
> Win98/NT4 Riched20.dll (which WordPad uses) has a classic buffer
> overflow problem with ".rtf"-files.
>
> Crashme.rtf :
> {\rtf\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA}
>
> A malicious document may probably abuse this to execute arbitary
> code. WordPad crashes with EIP=41414141.
>

==============================================

I have tested this, and it definately causes Wordpad to crash. Microsoft
has been contacted and their response will be posted here. If anyone is
able to develop this further and actually use it as an exploit let me know.

Steve Manzuik
Moderator
Win2K Security Advice

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE WIN2KSECADVICE"
** FOR A WEEKLY DIGEST, send the command "SET WIN2KSECADVICE DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE WIN2KSECADVICE"
** FOR A WEEKLY DIGEST, send the command "SET WIN2KSECADVICE DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net



This archive was generated by hypermail 2.0b3 on Fri Nov 19 1999 - 08:59:20 CST