IT Baseline Protection Manual T 4.8 Discovery of software vulnerabilities
T 4.8 Discovery of software vulnerabilities
Software vulnerabilities should be understood as unintentional program errors not yet known to the user, and constitute a security risk for the IT system. New security weaknesses are repeatedly found in existing (including widely-used) or completely new software.
Examples:
Two examples of the vulnerability of software encountered in Unix applications are:
a sendmail bug which enabled any user to execute programmes and modify files by using the sendmail UID and GID; and
the gets routine. This was used by the fingerd program to read a line, without a check of the boundaries of variables being made. Thus, by means of an overflow it was possible to modify the stack in such a way that a new shell could be started