Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Reverse Engineering thoughts
From: ethanpreston () ziplip com
Date: Wed, 7 Jan 2004 12:12:39 -0800 (PST)

-----Original Message-----
From: n30 [mailto:n30_lists () hotmail com]
Sent: Wednesday, January 07, 2004, 9:11 AM
To: pen-test () securityfocus com, full-disclosure () lists netsys com
Subject: Reverse Engineering thoughts

Hello Folks,

Just wanted your opinion.

Say I am pen-testing an application...It requires authentication credentials
to run. Also, the software has a demo mode & full version mode.

Now using RE (Reverse engineering), I can change the ASM & create a small
patch file to bypass the auth & convert the demo mode to full version mode.

Is this a security problem?? What should be my recommendation??

This is assuming that I work for a pen test firm & the company wants us to
test their product. So I should not be affected by DMCA?? Am i right??

Thanks in advance
-N

---------------------------------------------------------------------------
----------------------------------------------------------------------------


Legally, you're likely in the clear if the patch hasn't left your hands. See 17 USC 1201(j) -- exemption for security 
testing. Using your assumptions, you'd fall into the 1201(j) exemption of the DMCA, especially 1201(j)(3).

As a practical matter, I'd include it in a report because 1) the simple auth bypass tends to indicate sloppy coding, 
that might be a problem  elsewhere, 2) the hypothetical client might consider protecting its revenue an important (the 
most important?) aspect of its security, and 3) depending on your contract with the client, if it found out that you 
knew about such a hack and didn't disclose it, the client might come after you. 

Still, I'd take precautions to ensure the messenger didn't get shot.


---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
  • Re: Reverse Engineering thoughts ethanpreston (Jan 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]