Re: Reverse Engineering thoughts

[ethanpreston () ziplip com]

> -----Original Message-----
> From: n30 [mailto:n30_lists () hotmail com]
> Sent: Wednesday, January 07, 2004, 9:11 AM
> To: pen-test () securityfocus com, full-disclosure () lists netsys com
> Subject: Reverse Engineering thoughts
>
> Hello Folks,
>
> Just wanted your opinion.
>
> Say I am pen-testing an application...It requires authentication credentials
> to run. Also, the software has a demo mode & full version mode.
>
> Now using RE (Reverse engineering), I can change the ASM & create a small
> patch file to bypass the auth & convert the demo mode to full version mode.
>
> Is this a security problem?? What should be my recommendation??
>
> This is assuming that I work for a pen test firm & the company wants us to
> test their product. So I should not be affected by DMCA?? Am i right??
>
> Thanks in advance
> -N
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------

Legally, you're likely in the clear if the patch hasn't left your hands. See 17 USC 1201(j) -- exemption for security 
testing. Using your assumptions, you'd fall into the 1201(j) exemption of the DMCA, especially 1201(j)(3).

As a practical matter, I'd include it in a report because 1) the simple auth bypass tends to indicate sloppy coding, 
that might be a problem  elsewhere, 2) the hypothetical client might consider protecting its revenue an important (the 
most important?) aspect of its security, and 3) depending on your contract with the client, if it found out that you 
knew about such a hack and didn't disclose it, the client might come after you. 

Still, I'd take precautions to ensure the messenger didn't get shot.


---------------------------------------------------------------------------
----------------------------------------------------------------------------