Re: FAX a virus

To:	"Craig Wright" <cwright@bdosyd.com.au>, Pen-Testing <pen-test@securityfocus.com>
Subject:	Re: FAX a virus
From:	"Shreyas Zare" <shreyas@technitium.com>
Date:	Wed, 7 Mar 2007 13:24:59 +0530
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	pentest-list2@consult.net
Delivered-to:	mailing list pen-test@securityfocus.com
Delivered-to:	moderator for pen-test@securityfocus.com
In-reply-to:	<FE390886392A1F43BCF9FF279DA19974223414@nt03.bdonsw.local>
List-help:	<mailto:pen-test-help@securityfocus.com>
List-id:	<pen-test.list-id.securityfocus.com>
List-post:	<mailto:pen-test@securityfocus.com>
List-subscribe:	<mailto:pen-test-subscribe@securityfocus.com>
List-unsubscribe:	<mailto:pen-test-unsubscribe@securityfocus.com>
Mailing-list:	contact pen-test-help@securityfocus.com; run by ezmlm
References:	<45E6587F.8060003@gmail.com> <FF9A8F17D2BD1C4CACEFD6B52ECE12B00580F2FF@CELLNET-EVS1.cellnet.com> <da15e23f0703020924o518eb045rc984d5e1958622f1@mail.gmail.com> <FE390886392A1F43BCF9FF279DA19974223414@nt03.bdonsw.local>
Resent-date:	Fri, 9 Mar 2007 14:39:30 -0700 (MST)
Resent-from:	pen-test-return-1078483730@securityfocus.com
Resent-message-id:	<20070309213930.C3C57143FE5@outgoing2.securityfocus.com>
Resent-sender:	listbounce@securityfocus.com
Sender:	listbounce@securityfocus.com

Hi,

I don't think not freeing memory will cause any problem. When your
program terminates, the OS will do the cleanup job automatically and
all the memory used by the program will be freed. Its FUD nothing
else.

Regards,

On 3/3/07, Craig Wright <cwright@bdosyd.com.au> wrote:


Hello,

Attached is a small piece of code designed to write memory without freeing that 
memory - a situation that will eventually cause a memory overrun and crash as I 
am not freeing the buffer.

int main(int argc, char **argv)

{ char * MemorytLeak = new char[32];

MemorytLeak [0] = 'B';

printf("%cn", MemorytLeak [0]);

}

You have recieved this as an email. It may be in text form or processed. I can 
however state that not a single person receiving this e-mail will resultantly 
have a system crash due to receiving this code. If I was to write it into a 
script and send the e-mail as HTML, I could still say the same.

Writing text in itself is not an attack. To make this into an attack, I have to 
do more than just sending it. Stating that it is possible to inject script is 
not a function of a fax or an OCR engine. I could categorically compile or 
otherwise run all code and script received a fax machine. I could meticulously 
ensure that no errors occurred and that the code was correct load it into some 
application that will run it and state that I have been attacked.

This however is not an attack through fax or OCR for that matter. In the 
above-mentioned situation the attack occurs not because I have received code, 
but rather as I have decided to run code or script on my system.

Regards,

Craig

PS

I reiterate, F.U.D.



--
(This e-mail was composed and sent completely using recycled electrons)

Shreyas Zare
Co-Founder, Technitium
eMail: shreyas@technitium.com

..::< The Technitium Team >::..
Visit us at www.technitium.com
Contact us at theteam@technitium.com

Technitium Personal Computers
We belive in quality.
Visit http://pc.technitium.com for details.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

<Prev in Thread]	Current Thread	[Next in Thread>
Re: FAX a virus, Shreyas Zare <=

Previous by Date:	Re: The legal / illegal line?, Matthew Snider
Next by Date:	TCP stack smashing, Balaji Prasad
Previous by Thread:	Winzip and Due Diligence, Matthew Webster
Next by Thread:	TCP stack smashing, Balaji Prasad
Indexes:	[Date] [Thread] [Top] [All Lists]