Re: [Full-Disclosure] LOL, stupid calife maintainer - this can't be true

From: Timothy Demulder (timothy.demulder_at_tiscali.be)
Date: 02/28/04

Next message: Tiago Halm: "RE: [Full-Disclosure] FW: Fake Email (Update)"

Previous message: Martin Mačok: "Re: [OT] Re: [Full-Disclosure] Knocking Microsoft"
In reply to: DownBload / Illegal Instruction Labs: "[Full-Disclosure] LOL, stupid calife maintainer - this can't be true"
Next in thread: Michal Zalewski: "Re: [Full-Disclosure] LOL, stupid calife maintainer - this can't be true"
Reply: Michal Zalewski: "Re: [Full-Disclosure] LOL, stupid calife maintainer - this can't be true"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: full-disclosure@lists.netsys.com
Date: Sat, 28 Feb 2004 14:54:34 +0100

On Sat, 28 Feb 2004 14:18:20 +0100
"DownBload / Illegal Instruction Labs" <downbload@hotmail.com> wrote:

> This can't be true...

...

> Vulnerable code ("glibc problem" ;-) ->
> /root/calife-2.8.4c/db.c
> ------------------------
> ...
> char got_pass = 0;
> char * pt_pass, * pt_enc,
> * user_pass, * enc_pass, salt [10];
>
> user_pass = (char *) xalloc (l_size);
> enc_pass = (char *) xalloc (l_size);
> ...
> for ( i = 0; i < 3; i ++ )
> {
> pt_pass = (char *) getpass ("Password:");
> memset (user_pass, '\0', l_size);
> strcpy (user_pass, pt_pass); // <- BAD CODE
> pt_enc = (char *) crypt (user_pass, calife->pw_passwd);
> memset (enc_pass, '\0', l_size);
> strcpy (enc_pass, pt_enc);
> }
> ...
> free (user_pass); // <- FUN CODE ;-)
> free (enc_pass); // <- FUN CODE ;-)
> ...

It's just plain sad, there should be capital punishement for people
who code like this.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Tiago Halm: "RE: [Full-Disclosure] FW: Fake Email (Update)"

Previous message: Martin Mačok: "Re: [OT] Re: [Full-Disclosure] Knocking Microsoft"
In reply to: DownBload / Illegal Instruction Labs: "[Full-Disclosure] LOL, stupid calife maintainer - this can't be true"
Next in thread: Michal Zalewski: "Re: [Full-Disclosure] LOL, stupid calife maintainer - this can't be true"
Reply: Michal Zalewski: "Re: [Full-Disclosure] LOL, stupid calife maintainer - this can't be true"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: [Full-disclosure] List of Fuzzers
... int authenticate(char* username, char* password) { ... that fuzzing has its limitations (that can be fixed and applied like ... Full-Disclosure - We believe in it. ... Charter: http://lists.grok.org.uk/full-disclosure- ...
(Full-Disclosure)
Re: [Full-disclosure] VPN provider helped track down alleged LulzSec member
... if the vpn provider had not shat themself, then it would be a non story. ... Full-Disclosure - We believe in it. ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://secunia.com/ ...
(Full-Disclosure)
Re: [Full-disclosure] List of Fuzzers
... valid to use someone else's fuzzing framework against one's own ... I see "Which fuzzer on this list will help me find the most ... Full-Disclosure - We believe in it. ... Charter: http://lists.grok.org.uk/full-disclosure- ...
(Full-Disclosure)
Re: [Full-disclosure] [OT] Obama said: "American people understand that not everybodys been foll
... **Steve Crawshaw, former B&B boss ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://secunia.com/ ... Full-Disclosure - We believe in it. ...
(Full-Disclosure)
Re: [Full-disclosure] List of Fuzzers
... valid to use someone else's fuzzing framework against one's own ... Full-Disclosure - We believe in it. ... Charter: http://lists.grok.org.uk/full-disclosure- ...
(Full-Disclosure)