pr0ixat_private wrote: > I would like to defend myself on this matter. > > Yes, I did write this code. and > I, the great pr0ix, have discovered a new technique for bruteforcing > local suid binaries on any *nix operating system, which uncovers all > exploitable bugs in the application. while > On Tue, 26 Mar 2002 14:15:11 -0500, David Rhodus <sdrhodusat_private> wrote: > >You didn't write this code. This has been passed around for over a > >year now. and even mixter weighed in, all of which caused me much amusement. Oddly enough, the whole concept of "fuzz" testing was pioneered (although we didn't think it was important enough to tell anyone) 20+ years ago. We called it "do a faceplant or smash your hand across the keyboard and see if the application crashes". Folks, this is nothing new or original. The shared library concept is somewhat original, but it may miss application layer stupidity. This type of testing has been a discussion point of computer scientists since before most of you were born - how does one test applications without testing every possible path? See Michael Zalewski's erudite discussion on this problem in another posting. It is fascinating to me how the testing world (which is quite old in Internet time, predating as it does the Internet) and the vulnerability assessment world are converging. Unfortunately, the vulnerability assessment world is trying to relearn every lesson and reinvent every wheel. Paraphrasing "Read a Book" - "Read the Research". Learn from what others have done before you. Goetz Liedtke __________________________________________________ Do You Yahoo!? Yahoo! Movies - coverage of the 74th Academy Awards® http://movies.yahoo.com/
This archive was generated by hypermail 2b30 : Wed Mar 27 2002 - 13:50:55 PST