Penetration Testing mailing list archives
Re: Reverse Engineering thoughts
From: ethanpreston () ziplip com
Date: Wed, 7 Jan 2004 12:12:39 -0800 (PST)
-----Original Message----- From: n30 [mailto:n30_lists () hotmail com] Sent: Wednesday, January 07, 2004, 9:11 AM To: pen-test () securityfocus com, full-disclosure () lists netsys com Subject: Reverse Engineering thoughts Hello Folks, Just wanted your opinion. Say I am pen-testing an application...It requires authentication credentials to run. Also, the software has a demo mode & full version mode. Now using RE (Reverse engineering), I can change the ASM & create a small patch file to bypass the auth & convert the demo mode to full version mode. Is this a security problem?? What should be my recommendation?? This is assuming that I work for a pen test firm & the company wants us to test their product. So I should not be affected by DMCA?? Am i right?? Thanks in advance -N --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Legally, you're likely in the clear if the patch hasn't left your hands. See 17 USC 1201(j) -- exemption for security testing. Using your assumptions, you'd fall into the 1201(j) exemption of the DMCA, especially 1201(j)(3). As a practical matter, I'd include it in a report because 1) the simple auth bypass tends to indicate sloppy coding, that might be a problem elsewhere, 2) the hypothetical client might consider protecting its revenue an important (the most important?) aspect of its security, and 3) depending on your contract with the client, if it found out that you knew about such a hack and didn't disclose it, the client might come after you. Still, I'd take precautions to ensure the messenger didn't get shot. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Reverse Engineering thoughts ethanpreston (Jan 07)