Bugtraq mailing list archives
Re: WordPad/riched20.dll buffer overflow
From: bronek () WPI COM PL (Bronek Kozicki)
Date: Thu, 18 Nov 1999 20:55:18 +0100
Just if someone needs to know... Win98/NT4 Riched20.dll (which WordPad uses) has a classic buffer overflow problem with ".rtf"-files. Crashme.rtf : {\rtf\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA} A malicious document may probably abuse this to execute arbitary code. WordPad crashes with EIP=41414141.
I got my WordPad crashed with message: The instruction at "0x61616161" referenced memory at "0x61616161". The memory could not be "read". I press "OK" to close application, next message is: The instruction at "0x5f8012b3" referenced memory at "0x00000004". The memory could not be "read". Then I have only "choice" to "terminate the application". I use Windows NT (international English edtion) + SP5 . Bronek Kozicki
Current thread:
- WordPad/riched20.dll buffer overflow Pauli Ojanpera (Nov 18)
- Re: WordPad/riched20.dll buffer overflow Bronek Kozicki (Nov 18)
- Re: WordPad/riched20.dll buffer overflow Gerardo Richarte (Nov 18)
- Re: WordPad/riched20.dll buffer overflow Gerardo Richarte (Nov 24)
- (no subject) Swen Persson (Nov 24)
- Re: WordPad/riched20.dll buffer overflow Gerardo Richarte (Nov 24)
- Re: WordPad/riched20.dll buffer overflow pedward () WEBCOM COM (Nov 26)
- Re: WordPad/riched20.dll buffer overflow Christopher Rhodes (Nov 26)
- Re: WordPad/riched20.dll buffer overflow Glynn Clements (Nov 27)
- SCO su patches Alfred Huger (Nov 28)
- Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow UNYUN (Nov 29)
- Page table protection on Intel Jason Spence (Nov 26)