[28965] in bugtraq
Re: Riched20.DLL attribute label buffer overflow vulnerability
daemon@ATHENA.MIT.EDU (Thor Larholm)
Fri Feb 21 16:04:14 2003
Message-ID: <00bc01c2d994$001f1760$858370d4@wks.jubii.dk>
From: "Thor Larholm" <thor@pivx.com>
To: "Jie Dong" <Thkrdev@yoursft.com>, <bugtraq@securityfocus.com>
Date: Fri, 21 Feb 2003 11:28:39 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Since RTF files are opened and rendered automatically by Outlook Express and
Internet Explorer, this is remotely exploitable through mail and web.
I had some problems reproducing this on Windows 2000, anyone had better
luck?
Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
Latest PivX research: Multi-Vendor Unreal Engine Advisory
http://www.pivx.com/press_releases/ueng-adv_pr.html
----- Original Message -----
From: "Jie Dong" <Thkrdev@yoursft.com>
To: <bugtraq@securityfocus.com>
Sent: Sunday, February 16, 2003 2:30 PM
Subject: Riched20.DLL attribute label buffer overflow vulnerability
>
>
>
===========================================================================
> =====
> Security Defence Stdio vulnerability announcement [001]
> Riched20.DLL attribute label buffer overflow vulnerability
> URL:http:\\www.yoursft.com
> Author: Thrkdev
> finds date:2003年2月1日
> Announce date:2003年2月14日
>
> Affected system: Microsoft Windows 98
> Microsoft Windows 2000
> Microsoft Windows XP
> Perhaps,this vulnerability was still in other operating
> system, but untest .
> EMAIL: Thkrdev@yoursft.com
> ------------------------------------------------------------------------
> Technical description:
> A buffer overflow vulnerability exists in riched20.dll,which can result
> in the collapse
> of the application program that use the corresponding function of the DLL
> module, But it is
> very difficult to have the effect of allowing an attacker to execute
> commands on a user's system.
>
> This problem exists in the analysed RTF file code, and there is an
> overflows when drawing
> figure-string( such as the size of the character) in the file form .This
> overflow seem not to
> be used for executing commands.
> The following RTFfile may result in illegal operation :
> {\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0
> \fnil\fprq2\fcharset134 \'cb\'ce\'cc\'e5;}}
> {\colortbl ;\red255\green0\blue255;}
> \viewkind4\uc1\pard\cf1\kerning2\f0
> \fs18121111111111111111111111111111111110000 www.yoursft.com\fs20\par
> }
> "\fs" was used for setting the size of the followingly
> words "www.yoursft.com". when the figure-string
> that set the size of the fonts exceeding 1024byte(>1024b) , it Will cause
> the buffer overflow ;And when
> exceeding 65536byte(>65536b) it will probably cause crashing the
> application program.
> This promblom Not only appear in the setting of "\fs" , other attribute
> will have the same problem under
> the similar situation. And this following RTF files Will also result in
> operating illegally :
> {\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0
> \fnil\fprq2\fcharset134 \'cb\'ce\'cc\'e5;}}
> {\colortbl ;\red255\green0\blue255;}
> \viewkind4\uc1\pard\cf1\kerning2\f0121111111111111111111111111111111112222
> \fs180 www.yoursft.com\fs20\par
> }
> The terrible thing is nowadays lots of software was affected by this
> vulnerability. The attacker can send a
> malicious message that include exploiting the vulnerability, then when you
> read this message your program will be crashed.
>
> ------------------------------------------------------------------------
> Security Defence Stdio is a software development / technological websites,
> mainly developing NET security products ,
> the software of Security Defence Stdio --Trojan Ender-- receives users'
> extensive favorable comment
>
>
>
