17th Feb 2003 [SBWID-5996]
COMMAND
	Riched20.DLL attribute label buffer overflow vulnerability
SYSTEMS AFFECTED
	Tested system:  Microsoft Windows 98
		        Microsoft Windows 2000
			Microsoft Windows XP
PROBLEM
	In   Security   Defence   Stdio   vulnerability    announcement    [001]
	[[email protected]] :
	A buffer overflow vulnerability exists in riched20.dll,which can  result
	in the collapse of the application program that  use  the  corresponding
	function of the DLL module, But it is very difficult to have the  effect
	of allowing an attacker to execute commands on a user’s system.
	This problem exists in the analysed RTF  file  code,  and  there  is  an
	overflows  when  drawing  figure-string(  such  as  the  size   of   the
	character) in the file form .This overflow  seem  not  to  be  used  for
	executing commands.
	The following RTFfile may result in illegal operation  :
	
	{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0
	\fnil\fprq2\fcharset134 \'cb\'ce\'cc\'e5;}}
	{\colortbl ;\red255\green0\blue255;}
	\viewkind4\uc1\pard\cf1\kerning2\f0
	\fs18121111111111111111111111111111111110000 www.yoursft.com\fs20\par
	}
	
	"\fs"  was  used  for  setting  the  size  of  the   followingly   words
	"www.yoursft.com". when the figure-string  that  set  the  size  of  the
	fonts exceeding 1024byte(>1024b) , it Will  cause  the  buffer  overflow
	;And when exceeding 65536byte(>65536b) it will probably  cause  crashing
	the application program.
	This promblom Not only appear in the setting of "\fs" , other  attribute
	will have the  same  problem  under  the  similar  situation.  And  this
	following  RTF files Will also result in operating illegally :
	
	{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0
	\fnil\fprq2\fcharset134 \'cb\'ce\'cc\'e5;}}
	{\colortbl ;\red255\green0\blue255;}
	\viewkind4\uc1\pard\cf1\kerning2\f0121111111111111111111111111111111112222
	\fs180 www.yoursft.com\fs20\par
	}
	
	The terrible thing is nowadays lots of software  was  affected  by  this
	vulnerability. The attacker can send a malicious  message  that  include
	exploiting the vulnerability, then  when  you  read  this  message  your
	program will be crashed.
SOLUTION
	?