[12730] in bugtraq
Re: WordPad/riched20.dll buffer overflow
daemon@ATHENA.MIT.EDU (Gerardo Richarte)
Fri Nov 26 01:45:41 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <383C2BE8.7BD90AB9@core-sdi.com>
Date: Wed, 24 Nov 1999 15:14:10 -0300
Reply-To: Gerardo Richarte <core.lists.bugtraq@CORE-SDI.COM>
From: Gerardo Richarte <core.lists.bugtraq@CORE-SDI.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Solar Eclipse wrote:
> When I tried this, I found out that code CAN be executed on the heap,
> although the heap descriptor has no execute permissions. I don't know
> why. If somebody can confirm this it would be great.
I remember reading something about this i a book named Windows NT Device
Driver Development, let me check it out...
Ok, here it is, on page 58, it's talking about Access Control of virtual
pages, and it says, literally if a page can be read, it can be executed. I
remember that this took my attention for some days, then I forgot about it, until
you mentioned it.
richie
--
A390 1BBA 2C58 D679 5A71 - 86F9 404F 4B53 3944 C2D0
Investigacion y Desarrollo - CoreLabs - Core SDI
http://www.core-sdi.com
--- For a personal reply use gera@core-sdi.com
