|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: WordPad/riched20.dll buffer overflow
Doug Welsby (dougwelsby
VIDEOTRON.CA)
Fri, 19 Nov 1999 08:55:33 -0500
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Ussr Labs: "Remote D.o.S Attack in ZetaMail 2.1 Mail POP3/SMTP Server Vulnerability"
- Previous message: MKern: "Re: blocking ports"
- Maybe in reply to: Romero-Lobo, Jose: "blocking ports"
The problem occurs in Win 2000, RC2 Build 2128 as well.
Doug Welsby
dougwelsbyvideotron.ca
-----Original Message-----
From: Steve Manzuik [mailto:steveWIN2KSECADVICE.NET]
Sent: November 19, 1999 1:27 AM
To: WIN2KSECADVICELISTSERV.NTSECURITY.NET
Subject: WordPad/riched20.dll buffer overflow
Pauli Ojanpera posted the following to BugTraq
=====================
>
> Just if someone needs to know...
>
> Win98/NT4 Riched20.dll (which WordPad uses) has a classic buffer
> overflow problem with ".rtf"-files.
>
> Crashme.rtf :
> {\rtf\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA}
>
> A malicious document may probably abuse this to execute arbitary
> code. WordPad crashes with EIP=41414141.
>
==============================================
I have tested this, and it definately causes Wordpad to crash. Microsoft
has been contacted and their response will be posted here. If anyone is
able to develop this further and actually use it as an exploit let me know.
Steve Manzuik
Moderator
Win2K Security Advice
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE WIN2KSECADVICE"
** FOR A WEEKLY DIGEST, send the command "SET WIN2KSECADVICE DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE WIN2KSECADVICE"
** FOR A WEEKLY DIGEST, send the command "SET WIN2KSECADVICE DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
- Next message: Ussr Labs: "Remote D.o.S Attack in ZetaMail 2.1 Mail POP3/SMTP Server Vulnerability"
- Previous message: MKern: "Re: blocking ports"
- Maybe in reply to: Romero-Lobo, Jose: "blocking ports"
This archive was generated by hypermail 2.0b3 on Fri Nov 19 1999 - 08:59:20 CST