Pauli Ojanpera wrote: > > Just if someone needs to know... > > Win98/NT4 Riched20.dll (which WordPad uses) has a classic buffer > overflow problem with ".rtf"-files. > > Crashme.rtf : > {\rtf\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA} > > A malicious document may probably abuse this to execute arbitary > code. WordPad crashes with EIP=41414141. > > Someone else do deeper investigation since I don't care to. I've been trying to determine if it's exploitable, and couldn't reproduce what you described. I want to know if there is some other information I need to know... here is what I tried: an rtf file with {\rtf\AAAAAAAAA...} a lot of As (tryed 32,49,1000,2000,... 5000... 20000) nothing happened until 5000, where I got a crash but not with EIP== 0x41414141 but with ESI==0x41414141 on a 'push [esi]'. ESI was copyed previously from the stack, but on the stack there where only 4 As here, 8 As there, a so... then on 10000 As I got a different crash, with EDI==0x41414141, but never got EIP==0x41414141. Anyway, it MAY be exploitable, but doesn't look simple... Then I tryed a differen aproach I got http://www.securityfocus.com, I used a real rtf file and appended the same amount (32,49,...) of As after the first '\', but got exactly the same results... could anybody reproduce this bug? richie -- A390 1BBA 2C58 D679 5A71 - 86F9 404F 4B53 3944 C2D0 Research and Developemen - CoreLabs - Core SDI (Information Security) http://www.core-sdi.com --- For a personal reply use gera@core-sdi.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:13:20 PDT