Subject:           WordPad/riched20.dll buffer overflow
 Author:           Pauli Ojanpera


Just if someone needs to know...

Win98/NT4 Riched20.dll (which WordPad uses) has a classic buffer
overflow problem with ".rtf"-files.

Crashme.rtf :
{\rtf\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA}

A malicious document may probably abuse this to execute arbitary
code. WordPad crashes with EIP=41414141.

Someone else do deeper investigation since I don't care to.

Riched20.dll, which Wordpad uses to parse Rich Text Forrmat files, has an unchecked buffer
which
 allows arbitrary code to be executed. The code can be put into an .rtf file and emailed to the
victim.
 Then if the victim opens the document in Wordpad, the code will be run at the same privilege
level
 as the user.