Re: A question of Security

jt@npdaxp.fuw.edu.pl
Tue, 21 Dec 1999 21:52:23 MET


>Date: Thu, 16 Dec 1999 14:58:27 -0500
>From: "Michael H. Warfield" <mhw@wittsend.com>

> Intuition, in this case is wrong. The intruders (hackers, crackers,
>script kiddies, bozos, if you want) have got better debugging tools and
>reverse engineering tools than most developers I know and they know how
>to use them and what to look for. You think the recent buffer overflows
>found in Solaris snoop was from looking at the sources? I think not. You

I suppose it is unlikely they use reverse engineering tools.
More likely they just have similar system, and try sending
illegal packets to them. When some server program crashes
they look at crash dump, register contents, etc - whatever
is available - and try guess what such an illegal packet
has to contain for it to allow getting control, and give
any signal that this happened. When succeed, next step is
putting there a code which adds an user to /etc/passwd...

> Had one break a crypto algorithm by using a debugger to disassemble
> it and cut and past it into his own C code with an escape to assembler.

Fact, it is possible. I myself wrote own password crypt
in C for Novell's NetWare this way (we planned writing
NetWare client for VMS here, but never had enough time;
and the client library we bought was almost all in source
except few function which used password crypt). Few days,
significant part of the time used to make the code better.

Jerzy
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.rutgers.edu