'RE: [Full-Disclosure] C99 Security Alert-Old-New-Who-Cares :) - (:'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    RE: [Full-Disclosure] C99 Security Alert-Old-New-Who-Cares :) - (:
From:       "Schmehl, Paul L" <pauls () utdallas ! edu>
Date:       2003-05-30 16:10:48
[Download RAW message or body]

Normally I wouldn't bother pointing this stuff out, but if you're going
to accuse other people of having less than a third grade
education....well, people who throw stones shouldn't live in glass
houses....

operation systems?  NOT SUFFICANT???  AS POSSIABLE???  Intgreaty???

Maybe you should consider finishing school yourself, before you
criticize others.

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

-----Original Message-----
From: democow .... [mailto:democow8086@hotmail.com] 
Sent: Thursday, May 29, 2003 10:06 PM
To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] C99 Security Alert-Old-New-Who-Cares :) - (:


SECURITY VUNERABILITY ALERT:

hello,
as a new white-hat hacker i would like to help the information security 
industry by posting a new vulnerability in the the linux operating 
system(this vulnerability may be present in many other operation systems

depending on their implementation of the c)

i am posting this vulnerability to help the security community support 
itself in these troubled times, i know how hard it is for you to improve
you 
image in their media these days.. so i would like you to scam a few more

companies with some penetration tests.. and your "consulting" services

AND PLEASE POST AS MANY EXPLOITS AS YOU CAN BASED ON THE FOLLOWING 
INFORMATION... AS JUST INFORMATION ON THIS PROBLEM IS NOT SUFFICANT TO 
PLEASE SOME PEOPLE... ALSO I WOULD LIKE AS MANY   CONSULTING COMPANIES
AS 
POSSIABLE TO OFFER SERVICES USING THEM FOR THEIR OWN PROFIT.. I WOULD
HATE 
TO SEE ANYONE HAVE TO LEARN ANYTHING BUT HOW TO COMPILE A PROGRAM..(i do
not 
consider writing a report something that anyone who has a education
beyond 
that of the 3rd grade something that has to be learned by the corporate 
scam-artist )

-------|LOCATED IN /lib/string.c|-----

char * strcpy(char * dest,const char *src)
{
        char *tmp = dest;

      [1]  while ((*dest++ = *src++) != '\0')
                /* nothing */;
        return tmp;
}

as you can see at line [1] there is no length/intgreaty checking as src
is 
being inserted into dest

SOLUTION:
there is no solution to this problem if there were, one would be common
by 
now.. as we all know now there are no true standards worth following
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic