Re: WordPad/riched20.dll buffer overflow

From: Bronek Kozicki (bronekat_private)
Date: Thu Nov 18 1999 - 11:55:18 PST

Next message: Kevork Belian: "Remote DoS attack against Microsoft SQL Server 7.0"

Previous message: Simple Nomad: "Pandora v4 Beta 2 Software"
Maybe in reply to: Pauli Ojanpera: "WordPad/riched20.dll buffer overflow"
Next in thread: Ussr Labs: "Re: WordPad/riched20.dll buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Just if someone needs to know...
>
> Win98/NT4 Riched20.dll (which WordPad uses) has a classic buffer
> overflow problem with ".rtf"-files.
>
> Crashme.rtf :
> {\rtf\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA}
>
> A malicious document may probably abuse this to execute arbitary
> code. WordPad crashes with EIP=41414141.



I got my WordPad crashed with message:

The instruction at "0x61616161" referenced memory at "0x61616161". The
memory could not be "read".

I press "OK" to close application, next message is:

The instruction at "0x5f8012b3" referenced memory at "0x00000004". The
memory could not be "read".

Then I have only "choice" to "terminate the application".

I use Windows NT (international English edtion) + SP5 .

Bronek Kozicki

Next message: Kevork Belian: "Remote DoS attack against Microsoft SQL Server 7.0"
Previous message: Simple Nomad: "Pandora v4 Beta 2 Software"
Maybe in reply to: Pauli Ojanpera: "WordPad/riched20.dll buffer overflow"
Next in thread: Ussr Labs: "Re: WordPad/riched20.dll buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:13:28 PDT