From: ethanpreston@ziplip.com
Date: Wed Jan 07 2004 - 15:12:39 EST
> -----Original Message-----
> From: n30 [mailto:n30_lists@hotmail.com]
> Sent: Wednesday, January 07, 2004, 9:11 AM
> To: pen-test@securityfocus.com, full-disclosure@lists.netsys.com
> Subject: Reverse Engineering thoughts
>
> Hello Folks,
>
> Just wanted your opinion.
>
> Say I am pen-testing an application...It requires authentication credentials
> to run. Also, the software has a demo mode & full version mode.
>
> Now using RE (Reverse engineering), I can change the ASM & create a small
> patch file to bypass the auth & convert the demo mode to full version mode.
>
> Is this a security problem?? What should be my recommendation??
>
> This is assuming that I work for a pen test firm & the company wants us to
> test their product. So I should not be affected by DMCA?? Am i right??
>
> Thanks in advance
> -N
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
>
Legally, you're likely in the clear if the patch hasn't left your hands. See 17 USC 1201(j) -- exemption for security testing. Using your assumptions, you'd fall into the 1201(j) exemption of the DMCA, especially 1201(j)(3).
As a practical matter, I'd include it in a report because 1) the simple auth bypass tends to indicate sloppy coding, that might be a problem elsewhere, 2) the hypothetical client might consider protecting its revenue an important (the most important?) aspect of its security, and 3) depending on your contract with the client, if it found out that you knew about such a hack and didn't disclose it, the client might come after you.
Still, I'd take precautions to ensure the messenger didn't get shot.
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:44 EDT