RE: Reverse Engineering thoughts

["Brett Moore" <brett.moore () security-assessment com>]

Heyall

JC, Agreed and the traditional cracking stuff can come in handy
in the right situation.

> Say I am pen-testing an application...It requires authentication
credentials to run.
> Also, the software has a demo mode & full version mode.

Not much to go on so I'll take a stab in the dark.

Application is custom written 2 parts, client and server.
Server listens for connections from clients
Client has 2 modes / demo and full. It is presumed full can do more stuff.

A security review should be a comprehensive check of many areas. Thus a
holistic approach, and at a tech level should include checks like the
following

- buffer overflow attacks against client and server
- clear text packet sniffing
- usual sql injection and other auth bypass methods. (cookie/session/fags)

Also because a part of the application (the client) is a local binary, i
think
it is important to do 'other' checks for attacks that may allow;
- admin (god)
- access to extra features
- more 'time/credits/funds' etc (kisok type thing)
- local storage of credentials. clear text files / databases

These checks could include the following;
- binary R/E.
* Traditional cracking methods
- window enabling
* sending wm_enable to enable buttons etc.
- message forging
* 'option' on a menu will send a message to the parent/activewindow. Even if
the
menu is disabled/nonvisible, the parent window may still accept and dispatch
the
message.

We did a test once where the 'low access' client app could be forced to
allow
user management.

Brett.

jc:HNY/vegas

-----Original Message-----
From: johnny cyberpunk [mailto:johncybpk () gmx net]
Sent: Thursday, January 08, 2004 6:53 AM
To: pen-test () securityfocus com; full-disclosure () lists netsys com
Subject: Re: Reverse Engineering thoughts


hi n30,

what you are doing is not reversing the tool for security bugs, it's
traditional cracking stuff.
my opinion is, that this can't be reported directly as a security problem,
but you can point out that
they should improve there software with a harder copy protection, such as
runtime binary
encryption, anti-debugging stuff and so on.

cheers,
johnny cyberpunk / thc
+++ no cock is as hard as life +++
public key: http://www.thc.org/keys/jcyberpunk.pub
fingerprint: CB59 19F9 ABF2 781A 4E6C  0A43 F773 9106 BADA BF8C


----- Original Message -----
From: "n30" <n30_lists () hotmail com>
To: <pen-test () securityfocus com>; <full-disclosure () lists netsys com>
Sent: Tuesday, January 06, 2004 7:36 PM
Subject: Reverse Engineering thoughts


> Hello Folks,
>
> Just wanted your opinion.
>
> Say I am pen-testing an application...It requires authentication
credentials
> to run. Also, the software has a demo mode & full version mode.
>
> Now using RE (Reverse engineering), I can change the ASM & create a small
> patch file to bypass the auth & convert the demo mode to full version
mode.
> Is this a security problem?? What should be my recommendation??
>
> This is assuming that I work for a pen test firm & the company wants us to
> test their product. So I should not be affected by DMCA?? Am i right??
>
> Thanks in advance
> -N
>
> --------------------------------------------------------------------------
-
> --------------------------------------------------------------------------
--
>


---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------