[12657] in bugtraq
Re: WordPad/riched20.dll buffer overflow
daemon@ATHENA.MIT.EDU (Gerardo Richarte)
Fri Nov 19 17:43:01 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <38347505.8C2674FC@core-sdi.com>
Date: Thu, 18 Nov 1999 18:45:25 -0300
Reply-To: Gerardo Richarte <core.lists.bugtraq@CORE-SDI.COM>
From: Gerardo Richarte <core.lists.bugtraq@CORE-SDI.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Pauli Ojanpera wrote:
>
> Just if someone needs to know...
>
> Win98/NT4 Riched20.dll (which WordPad uses) has a classic buffer
> overflow problem with ".rtf"-files.
>
> Crashme.rtf :
> {\rtf\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA}
>
> A malicious document may probably abuse this to execute arbitary
> code. WordPad crashes with EIP=41414141.
>
> Someone else do deeper investigation since I don't care to.
I've been trying to determine if it's exploitable, and couldn't
reproduce what you described. I want to know if there is some other
information I need to know... here is what I tried:
an rtf file with
{\rtf\AAAAAAAAA...} a lot of As (tryed 32,49,1000,2000,...
5000...
20000)
nothing happened until 5000, where I got a crash but not with
EIP==
0x41414141 but with ESI==0x41414141 on a 'push [esi]'. ESI was copyed
previously from the stack, but on the stack there where only 4 As here,
8 As there, a so...
then on 10000 As I got a different crash, with EDI==0x41414141,
but
never got EIP==0x41414141.
Anyway, it MAY be exploitable, but doesn't look simple...
Then I tryed a differen aproach I got
http://www.securityfocus.com, I used a real rtf file and appended
the same amount (32,49,...) of As after the first '\', but got exactly
the same results...
could anybody reproduce this bug?
richie
--
A390 1BBA 2C58 D679 5A71 - 86F9 404F 4B53 3944 C2D0
Research and Developemen - CoreLabs - Core SDI (Information Security)
http://www.core-sdi.com
--- For a personal reply use gera@core-sdi.com
