Vulnerability Development mailing list archives

Re: VisualBasic auditing

From: Voguemaster <hydrax () netvision net il>
Date: Wed, 19 Feb 2003 19:55:47 +0200

Well,

As for VB auditing there are several things that one can do.
For starters, the best VB analysis tool is definately Numega's
SmartCheck. Even without sources it can pretty much analyze what
the program is doing.
Now, security vulnerabilities in the VB VM aside, the only other
places to look for are interactions of the VB program with the
environment in which it is running. For example, using external
resource of any kind can pose a security threat. Exchanging data
with other components (mainly client programs or otherwise untrusted
input sources) is hazardous as well. It will be worth looking
into how good of an implementation there is in this program.
Remember, unexpected behavious can occur in all sorts of way, not
only exploiting an unchecked buffer. As for the oldest trick in the
book (almost), if there is communication with an external resource
which is not written in VB, who knows.
BTW, it is possible to crash a VB program or create some sort of DoS
on it. The VM handles it pretty well enough but a vulnerability in
the software itself is still a vulnerability.

SmartCheck and other tools can be used to audit the program. For
PCODE programs you'd have to approach the matter differently. Probably
using some sort of decompiler. Even debuggers can be used (SoftIce comes
to mind) if you're experienced enough not to get lost in the
bloated code of a VB application.

Eli


On Sun, 16 Feb 2003 19:12:32 +0000, Some d00d <shavidi () yahoo com> wrote:







Hi folks









I am auditing some network application and a

significant number of them are written in MS Visual

Basic. Have anyone done some work on exploiting VB

software before? I assume that traditional methods such

as buffer overflows will not work here.









Are there any tools around for this (such as VB

disassemblers and de-scramblers)?





Can you point me to any sources of information?









Thanks in advance, SD




--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

Current thread:

VisualBasic auditing Some d00d (Feb 18)
- RE: VisualBasic auditing Rob Shein (Feb 18)
- Re: VisualBasic auditing Cesar (Feb 18)
  - Re: VisualBasic auditing2 gr00vy (Feb 20)
- Re: VisualBasic auditing Voguemaster (Feb 20)
- Re: VisualBasic auditing Arjun Pednekar (Feb 20)
- <Possible follow-ups>
- RE: VisualBasic auditing Kayne Ian (Softlab) (Feb 20)