Bugtraq mailing list archives

Re: WordPad/riched20.dll buffer overflow

From: bronek () WPI COM PL (Bronek Kozicki)
Date: Thu, 18 Nov 1999 20:55:18 +0100

Just if someone needs to know...

Win98/NT4 Riched20.dll (which WordPad uses) has a classic buffer
overflow problem with ".rtf"-files.

Crashme.rtf :
{\rtf\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA}

A malicious document may probably abuse this to execute arbitary
code. WordPad crashes with EIP=41414141.


I got my WordPad crashed with message:

The instruction at "0x61616161" referenced memory at "0x61616161". The
memory could not be "read".

I press "OK" to close application, next message is:

The instruction at "0x5f8012b3" referenced memory at "0x00000004". The
memory could not be "read".

Then I have only "choice" to "terminate the application".

I use Windows NT (international English edtion) + SP5 .

Bronek Kozicki

Current thread:

WordPad/riched20.dll buffer overflow Pauli Ojanpera (Nov 18)
- Re: WordPad/riched20.dll buffer overflow Bronek Kozicki (Nov 18)
- Re: WordPad/riched20.dll buffer overflow Gerardo Richarte (Nov 18)
  - Re: WordPad/riched20.dll buffer overflow Gerardo Richarte (Nov 24)
  - (no subject) Swen Persson (Nov 24)
  - Re: WordPad/riched20.dll buffer overflow Gerardo Richarte (Nov 24)
    - Re: WordPad/riched20.dll buffer overflow pedward () WEBCOM COM (Nov 26)
    - Re: WordPad/riched20.dll buffer overflow Christopher Rhodes (Nov 26)
    - Re: WordPad/riched20.dll buffer overflow Glynn Clements (Nov 27)
    - SCO su patches Alfred Huger (Nov 28)
    - Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow UNYUN (Nov 29)
    - Page table protection on Intel Jason Spence (Nov 26)

(Thread continues...)