RE: SQL Injection Legalities

["Weaver, Woody" <woody.weaver () callisma com>]

I think we are in generally murky territory, which is why getting the
get-out-of-jail-free card is so important.  I think the Randall Schwartz
case is certainly relevant: you have someone with excellent credentials, had
no intent to defraud or extort, and performed activities which one could
argue was within his authorization (crack passwords). Yet it developed a big
black hole in his life.

In my mind, there are three lines to cross:

(1) Vulnerability assessment, not a pen test (ie from the formal definition
eg RFC2828 -- no attempt to circumvent the security features of the system.)
A noisy Nessus scan with the "do no harm" button enabled would fall into
this category, I think, and I'd characterize it as seeing what is listening
(permitted by the Host Requirements RFC, I think), gathering banners,
perhaps minor exercise of services to verify properties.  Could be
considered a hostile act, but often on Internet connected machines more a
matter of idle curiousity.

(2) Pen test, information gathering only, or brief, non-disruptive loss of
service. We are circumventing the security features, but doing so in a
gentle fashion.  SQL injection that doesn't execute a stored program would
fall under this category. Web exploits to get directory listings are
similar.  Definately a hostile act, so get permission first.

(3) Agressive pen test, actively subverting a security feature to alter the
contents of a system or generate traffic towards another system. Uploading a
back door falls into this category. Not merely hostile, close enough to
violate the rules (they could arrest you and work out your intent later)
that you better have a lawyer blessed get-out-of-jail-free card handy.

Of course, (2) is a slippery slope...

Do the rest of you have similar definitions?

--woody

-----Original Message-----
From: Deus, Attonbitus [mailto:Thor () HammerofGod com]
Sent: Sunday, July 21, 2002 4:33 PM
To: Weaver, Woody; darrell () cpp com; PEN-TEST () securityfocus com
Subject: RE: SQL Injection Legalities



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 12:13 PM 7/21/2002, Weaver, Woody wrote:
> I don't think that applies, as long as the machine wasn't a computer owned
> by the US government, wasn't a protected computer (accessible to the public
> is probably good cause), and there was no intent to defraud or extort.


I thought the same thing when I re-read the law... I've seen it referenced 
several times, and have read over it several times previously, but w/o 
being a lawyer, it is hard to tell to what degree they could apply it to 
different scenarios.

But when they throw in vague wording such as "exceeding authorized access" 
or "intent" and blah, blah, blah, it really opens it up for varied 
interpretation.

I guess my point of view is that the developer is explicitly allowing a 
user to submit a query.  If he does not sanitize user input, then they are 
"allowing" me to submit the query as I wish- in this case, changing the 
logic to ['bicycle' or 1=1].  I don't think that anyone would go to the 
trouble of trying to prosecute for this type of SQL injection, particularly 
since there is no "damage" or anything, but what do you do when I do 
['bicycle' union select name,password from sysxlogins--] ?  It is really 
the same thing, and there are still no damages, but there is a far greater 
potential for abuse.

What I guess I was really looking for was a response from a lawyer who said 
"Yes, someone did this and we nailed their butt" or "Yes, someone did this 
and there was really nothing we could do about it- see Smith vs BigCorp" or 
something along those lines.  To me, SQL Injection is a different animal-- 
no port scanning, no direct vulnerability exploitation, and not even 
uploading stuff (unless you want to, of course) and you can still get to 
everything you want.  When the developer uses "UID=SA;PWD=" in the damn 
connection string, then they would have a hard time saying that I exceeded 
authorization, you know?

So, it looks like we are where we normally are with this sort of thing- 
nobody really knows until the law is tested.

Thanks to all for the responses.  Have a good one-

Cheers-

AD


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPTsaiohsmyD15h5gEQI1HwCdFd+f4KKy7E6QP70v+VoJbIRk1G4AnA7s
HlYsYHMAqdhiTd+TgizMKOyM
=GT9I
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/