Bugtraq mailing list archives
Re: WordPad/riched20.dll buffer overflow
From: labs () USSRBACK COM (Ussr Labs)
Date: Tue, 23 Nov 1999 22:06:45 -0300
Well, I find SOME ways to CRASH (no exploit possibly), in another place in the format rft, in the richie20.dll, making a EATER OF STACK, Inside in the rtf file, One rtf inside of another with OLE, the ole(wordpad), crash , with a STACK OVERFLOW EXCEPTION FILTER, EXAMPLE RTF CODE: {\rtf1\ansi\ansicpg1252\deff0\deftab720{\fonttbl{\f0\fswiss MS Sans Serif;}{\f1 \froman\fcharset2 Symbol;}{\f2\froman Times New Roman;}{\f3\froman Times New Ro man;}} {\colortbl\red0\green0\blue0;} \deflang1033\horzdoc{\*\fchars }{\*\lchars }\pard\plain\f2\fs20 hello!!!!{\obje ct\objemb{\*\objclass WordPad.Document.1}{\*\objname Object1}\objw11115\objh293 {\*\objdata BUFFER) }}}\plain\f2\fs20 !!!!!!!!!!!!!!!! \par } WERE BUFFER IS LIKE 9K OF (123456789ABCDEFGHIJKLMNOPQRSTUVWYZ) But its just eat the stack, OLE crash, and not are possibly make exploit on this. is another example of another bug in ole/riche20.dll all in wordpad.exe Ussrlabs I have another example same happen in word files, personally I did a .doc file, if you run it machine reset in Microsoft word 2000, 97, in windows 98, and in nt crash and leave word in memory (present) like a memory process leek, but its just a bug no way to exploit it, the only thing possibly is reset the machine in windows 98 :). u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h http://www.ussrback.com
My assertion was based on a cursory look and the fact the return address _is_ overwritten. I'll bow to the greater and more indepth analysis of USSRLABS and Solar Eclipse. No doubt, however, there will be buffer
overruns
elsewhere within the application and not just after the {rtf1\AA...} part. I've not actually looked but if you do I can almost guarantee there will be more. Perhaps one of these will _not_ be restricted to A-Z and a-z and then it would have a chance of being exploitable. For example there is an {operator Name-Goes-Here} part of a windows RTF file. By doing {operatorAAA.... Name} or {operator AAAA...} may cause a buffer overrun - and one where the return address is overwritten and any characters are allowed. This is mostly conjecture however. Anyone with the time or inclination could check on this or any of the other rtf headers.
Current thread:
- Re: WordPad/riched20.dll buffer overflow, (continued)
- Re: WordPad/riched20.dll buffer overflow Jason Spence (Nov 28)
- TooRcon Computer Security Expo Announces Pre-Registration Ben (Nov 28)
- Re: WordPad/riched20.dll buffer overflow User SCOTT (Nov 18)
- Re: WordPad/riched20.dll buffer overflow - Full Details Solar Eclipse (Nov 21)
- Re: WordPad/riched20.dll buffer overflow Mnemonix (Nov 19)
- Re: WordPad/riched20.dll buffer overflow Solar Eclipse (Nov 22)
- Re: WordPad/riched20.dll buffer overflow Ron Parker (Nov 23)
- Re: WordPad/riched20.dll buffer overflow Solar Eclipse (Nov 22)
- Re: WordPad/riched20.dll buffer overflow Ussr Labs (Nov 19)
- Re: WordPad/riched20.dll buffer overflow Thomas Dullien (Nov 23)
- Re: WordPad/riched20.dll buffer overflow Mnemonix (Nov 23)
- Re: WordPad/riched20.dll buffer overflow Ussr Labs (Nov 23)