Re: how to discover vulnerability?

From: Ali Saifullah Khan <ali_saifullah(at)hotmail.com>
Date: Fri Apr 18 2003 - 00:48:23 EDT

Well, there has been debate for some time now over this issue. most ways of writing stack/heap/buffer overflows deal with searching for places in the code where there are either in-efficient or non-existent boundary checking conditions.

using snprintf() instead of printf() is an example subject which has undergone considerable debate for a long time. But there are several other theologies you may consider when attempting to exploit a loophole in an application. it can be the way it takes input, not necessarily how it takes input. if one can structure ways to force input to the application while not necessarily attempting buffer overflows, but just by the way the programmer has designed the application to deal with input data, you have every chance of exploiting a new loophole, the programmer may have never even thought about, or written code to avoid.

Regards,
Ali Saifullah Khan

>----- Original Message -----

---

MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus

---

Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics

---

Received on Mon Apr 21 12:36:05 2003