RTF…M

Posted on by

One of the best ways to generate ideas for research is reading manuals and original documentation. Not only we learn new stuff, we also re-learn the old stuff and if we happen to re-visit different versions of the same documentation over the years there are chances that a) we will be aware of changes & stuff that has been phased out b) we will be able to find stuff we missed in previous reading iterations.

Such is the case I want to quickly discuss today.

If I asked you what is the RTF file magic you would most likely reply:

{\rtf OR {\rtf1

Well, I thought so too until I looked at Rich Text Format (RTF) Specification again. It is where I found the following long-forgotten tags:

  • \pwdN
    • Substitute for \rtfN. Introduced by Pocket Word to distinguish its files from general RTF files. Currently only 1 is emitted and the number is ignored by the RTF reader.
  • \urtfN
    • Identifies an RTF file in which all text characters are encoded in UTF-8. Only binary data escapes this transformation. Word does not read this encoding of RTF.

So, there you have it… corner cases, you can’t exploit them per se (I think), but at least now we know.

Beyond good ol’ Run key, Part 128

Posted on by

It’s been a long time since I looked at phantom DLLs (non-existing DLLs that are expected to be present in predictable locations). So, a quick rundown what we can see on Win10 today folows:

  • C:\Windows\System32\edgegdi.dll
    • loaded by gdi.dll, but not present on the most up to date win10 pro installation; it must be signed
    • loaded by a number of processes backgroundTaskHost.exe, BackgroundTransferHost.exe, DllHost.exe, dmclient.exe, HxTsr.exe, LockApp.exe, LogonUI.exe, Microsoft.Photos.exe, mousocoreworker.exe and many others; existing work: found some EoP research on Twitter
  • C:\Windows\SysWOW64\rpcss.dll
  • C:\Windows\System32\UsoSelfhost.dll
    • loaded by mousocoreworker.exe — possible EoP?
  • C:\Windows\System32\Speech_OneCore\common\sapi_onecore.dll
    • loaded by SearchApp.exe
  • C:\Windows\System32\windowscoredeviceinfo.dll
    • loaded by taskhostw.exe

There are more, but I reserve them for a possible future post.