[SC-L] COBOL Exploits
Kenneth Van Wyk
ken at krvw.com
Fri Nov 2 09:41:48 EST 2007
On Nov 2, 2007, at 12:13 AM, Mark Rockman wrote:
> I'm sure you can write COBOL programs that crash, but it must be
> hard to make them take control of the operating system.
If software exploits were "only" isolated to OS compromise, that'd be
just fine. But let's not forget that an application can be thoroughly
compromised by an attacker who never leaves the realm of the
application -- e.g., providing spoofed credentials to read another
user's customer data in a database app. The business logic data
access control (authorization) is just one area of an app that
transcends implementation language. A poorly design authorization
model can be implemented in pretty much anything, I believe.
Let's get past the simple buffer overflow exploit to get OS access.
IMHO, it's right to consider mainframe/COBOL apps carefully. Although
we likely won't find a buffer overflow "smoking gun", I'll bet we are
likely to find examples of bad security logic that can lead to app
compromise. Plus, let's face it, modern attacks are moving more and
more towards the pure application layer (think XSS, SQL/XML injection,
cross-site request forgery, etc.), AND they're increasingly
financially motivated.
Cheers,
Ken
-----
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2500 bytes
Desc: not available
Url : http://krvw.com/pipermail/sc-l/attachments/20071102/4a075e29/attachment-0001.bin
More information about the SC-L
mailing list