----- Original Message -----
From: "Jie Dong" <Thkrdev (at) yoursft (dot) com [email concealed]>
To: <bugtraq (at) securityfocus (dot) com [email concealed]>
Sent: Sunday, February 16, 2003 2:30 PM
Subject: Riched20.DLL attribute label buffer overflow vulnerability
>
>
>
========================================================================
===
> =====
> Security Defence Stdio vulnerability announcement [001]
> Riched20.DLL attribute label buffer overflow vulnerability
> URL:http:\\www.yoursft.com
> Author: Thrkdev
> finds date:2003年2月1日
> Announce date:2003年2月14日
>
> Affected system: Microsoft Windows 98
> Microsoft Windows 2000
> Microsoft Windows XP
> Perhaps,this vulnerability was still in other operating
> system, but untest .
> EMAIL: Thkrdev (at) yoursft (dot) com [email concealed]
> ------------------------------------------------------------------------
> Technical description:
> A buffer overflow vulnerability exists in riched20.dll,which can result
> in the collapse
> of the application program that use the corresponding function of the DLL
> module, But it is
> very difficult to have the effect of allowing an attacker to execute
> commands on a user's system.
>
> This problem exists in the analysed RTF file code, and there is an
> overflows when drawing
> figure-string( such as the size of the character) in the file form .This
> overflow seem not to
> be used for executing commands.
> The following RTFfile may result in illegal operation :
> {\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0
> \fnil\fprq2\fcharset134 \'cb\'ce\'cc\'e5;}}
> {\colortbl ;\red255\green0\blue255;}
> \viewkind4\uc1\pard\cf1\kerning2\f0
> \fs18121111111111111111111111111111111110000 www.yoursft.com\fs20\par
> }
> "\fs" was used for setting the size of the followingly
> words "www.yoursft.com". when the figure-string
> that set the size of the fonts exceeding 1024byte(>1024b) , it Will cause
> the buffer overflow ;And when
> exceeding 65536byte(>65536b) it will probably cause crashing the
> application program.
> This promblom Not only appear in the setting of "\fs" , other attribute
> will have the same problem under
> the similar situation. And this following RTF files Will also result in
> operating illegally :
> {\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0
> \fnil\fprq2\fcharset134 \'cb\'ce\'cc\'e5;}}
> {\colortbl ;\red255\green0\blue255;}
> \viewkind4\uc1\pard\cf1\kerning2\f01211111111111111111111111111111111122
22
> \fs180 www.yoursft.com\fs20\par
> }
> The terrible thing is nowadays lots of software was affected by this
> vulnerability. The attacker can send a
> malicious message that include exploiting the vulnerability, then when you
> read this message your program will be crashed.
>
> ------------------------------------------------------------------------
> Security Defence Stdio is a software development / technological websites,
> mainly developing NET security products ,
> the software of Security Defence Stdio --Trojan Ender-- receives users'
> extensive favorable comment
>
>
>
Internet Explorer, this is remotely exploitable through mail and web.
I had some problems reproducing this on Windows 2000, anyone had better
luck?
Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
Latest PivX research: Multi-Vendor Unreal Engine Advisory
http://www.pivx.com/press_releases/ueng-adv_pr.html
----- Original Message -----
From: "Jie Dong" <Thkrdev (at) yoursft (dot) com [email concealed]>
To: <bugtraq (at) securityfocus (dot) com [email concealed]>
Sent: Sunday, February 16, 2003 2:30 PM
Subject: Riched20.DLL attribute label buffer overflow vulnerability
>
>
>
========================================================================
===
> =====
> Security Defence Stdio vulnerability announcement [001]
> Riched20.DLL attribute label buffer overflow vulnerability
> URL:http:\\www.yoursft.com
> Author: Thrkdev
> finds date:2003年2月1日
> Announce date:2003年2月14日
>
> Affected system: Microsoft Windows 98
> Microsoft Windows 2000
> Microsoft Windows XP
> Perhaps,this vulnerability was still in other operating
> system, but untest .
> EMAIL: Thkrdev (at) yoursft (dot) com [email concealed]
> ------------------------------------------------------------------------
> Technical description:
> A buffer overflow vulnerability exists in riched20.dll,which can result
> in the collapse
> of the application program that use the corresponding function of the DLL
> module, But it is
> very difficult to have the effect of allowing an attacker to execute
> commands on a user's system.
>
> This problem exists in the analysed RTF file code, and there is an
> overflows when drawing
> figure-string( such as the size of the character) in the file form .This
> overflow seem not to
> be used for executing commands.
> The following RTFfile may result in illegal operation :
> {\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0
> \fnil\fprq2\fcharset134 \'cb\'ce\'cc\'e5;}}
> {\colortbl ;\red255\green0\blue255;}
> \viewkind4\uc1\pard\cf1\kerning2\f0
> \fs18121111111111111111111111111111111110000 www.yoursft.com\fs20\par
> }
> "\fs" was used for setting the size of the followingly
> words "www.yoursft.com". when the figure-string
> that set the size of the fonts exceeding 1024byte(>1024b) , it Will cause
> the buffer overflow ;And when
> exceeding 65536byte(>65536b) it will probably cause crashing the
> application program.
> This promblom Not only appear in the setting of "\fs" , other attribute
> will have the same problem under
> the similar situation. And this following RTF files Will also result in
> operating illegally :
> {\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0
> \fnil\fprq2\fcharset134 \'cb\'ce\'cc\'e5;}}
> {\colortbl ;\red255\green0\blue255;}
> \viewkind4\uc1\pard\cf1\kerning2\f01211111111111111111111111111111111122
22
> \fs180 www.yoursft.com\fs20\par
> }
> The terrible thing is nowadays lots of software was affected by this
> vulnerability. The attacker can send a
> malicious message that include exploiting the vulnerability, then when you
> read this message your program will be crashed.
>
> ------------------------------------------------------------------------
> Security Defence Stdio is a software development / technological websites,
> mainly developing NET security products ,
> the software of Security Defence Stdio --Trojan Ender-- receives users'
> extensive favorable comment
>
>
>
[ reply ]