Full Disclosure mailing list archives
RE: C99 Security Alert-Old-New-Who-Cares :) - (:
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Fri, 30 May 2003 11:10:48 -0500
Normally I wouldn't bother pointing this stuff out, but if you're going to accuse other people of having less than a third grade education....well, people who throw stones shouldn't live in glass houses.... operation systems? NOT SUFFICANT??? AS POSSIABLE??? Intgreaty??? Maybe you should consider finishing school yourself, before you criticize others. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ -----Original Message----- From: democow .... [mailto:democow8086 () hotmail com] Sent: Thursday, May 29, 2003 10:06 PM To: full-disclosure () lists netsys com Subject: [Full-disclosure] C99 Security Alert-Old-New-Who-Cares :) - (: SECURITY VUNERABILITY ALERT: hello, as a new white-hat hacker i would like to help the information security industry by posting a new vulnerability in the the linux operating system(this vulnerability may be present in many other operation systems depending on their implementation of the c) i am posting this vulnerability to help the security community support itself in these troubled times, i know how hard it is for you to improve you image in their media these days.. so i would like you to scam a few more companies with some penetration tests.. and your "consulting" services AND PLEASE POST AS MANY EXPLOITS AS YOU CAN BASED ON THE FOLLOWING INFORMATION... AS JUST INFORMATION ON THIS PROBLEM IS NOT SUFFICANT TO PLEASE SOME PEOPLE... ALSO I WOULD LIKE AS MANY CONSULTING COMPANIES AS POSSIABLE TO OFFER SERVICES USING THEM FOR THEIR OWN PROFIT.. I WOULD HATE TO SEE ANYONE HAVE TO LEARN ANYTHING BUT HOW TO COMPILE A PROGRAM..(i do not consider writing a report something that anyone who has a education beyond that of the 3rd grade something that has to be learned by the corporate scam-artist ) -------|LOCATED IN /lib/string.c|----- char * strcpy(char * dest,const char *src) { char *tmp = dest; [1] while ((*dest++ = *src++) != '\0') /* nothing */; return tmp; } as you can see at line [1] there is no length/intgreaty checking as src is being inserted into dest SOLUTION: there is no solution to this problem if there were, one would be common by now.. as we all know now there are no true standards worth following _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- C99 Security Alert-Old-New-Who-Cares :) - (: democow .... (May 29)
- Re: C99 Security Alert-Old-New-Who-Cares :) - (: Valdis . Kletnieks (May 30)
- <Possible follow-ups>
- RE: C99 Security Alert-Old-New-Who-Cares :) - (: Schmehl, Paul L (May 30)