Since RTF files are opened and rendered automatically by Outlook Express and Internet Explorer, this is remotely exploitable through mail and web. I had some problems reproducing this on Windows 2000, anyone had better luck? Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher Latest PivX research: Multi-Vendor Unreal Engine Advisory http://www.pivx.com/press_releases/ueng-adv_pr.html ----- Original Message ----- From: "Jie Dong" <Thkrdev@yoursft.com> To: <bugtraq@securityfocus.com> Sent: Sunday, February 16, 2003 2:30 PM Subject: Riched20.DLL attribute label buffer overflow vulnerability > > > =========================================================================== > ===== > Security Defence Stdio vulnerability announcement [001] > Riched20.DLL attribute label buffer overflow vulnerability > URL:http:\\www.yoursft.com > Author: Thrkdev > finds date:2003年2月1日 > Announce date:2003年2月14日 > > Affected system: Microsoft Windows 98 > Microsoft Windows 2000 > Microsoft Windows XP > Perhaps,this vulnerability was still in other operating > system, but untest . > EMAIL: Thkrdev@yoursft.com > ------------------------------------------------------------------------ > Technical description: > A buffer overflow vulnerability exists in riched20.dll,which can result > in the collapse > of the application program that use the corresponding function of the DLL > module, But it is > very difficult to have the effect of allowing an attacker to execute > commands on a user's system. > > This problem exists in the analysed RTF file code, and there is an > overflows when drawing > figure-string( such as the size of the character) in the file form .This > overflow seem not to > be used for executing commands. > The following RTFfile may result in illegal operation : > {\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0 > \fnil\fprq2\fcharset134 \'cb\'ce\'cc\'e5;}} > {\colortbl ;\red255\green0\blue255;} > \viewkind4\uc1\pard\cf1\kerning2\f0 > \fs18121111111111111111111111111111111110000 www.yoursft.com\fs20\par > } > "\fs" was used for setting the size of the followingly > words "www.yoursft.com". when the figure-string > that set the size of the fonts exceeding 1024byte(>1024b) , it Will cause > the buffer overflow ;And when > exceeding 65536byte(>65536b) it will probably cause crashing the > application program. > This promblom Not only appear in the setting of "\fs" , other attribute > will have the same problem under > the similar situation. And this following RTF files Will also result in > operating illegally : > {\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0 > \fnil\fprq2\fcharset134 \'cb\'ce\'cc\'e5;}} > {\colortbl ;\red255\green0\blue255;} > \viewkind4\uc1\pard\cf1\kerning2\f0121111111111111111111111111111111112222 > \fs180 www.yoursft.com\fs20\par > } > The terrible thing is nowadays lots of software was affected by this > vulnerability. The attacker can send a > malicious message that include exploiting the vulnerability, then when you > read this message your program will be crashed. > > ------------------------------------------------------------------------ > Security Defence Stdio is a software development / technological websites, > mainly developing NET security products , > the software of Security Defence Stdio --Trojan Ender-- receives users' > extensive favorable comment > > >
