Re: Using 0days as part of pen-test?



Personally, looking at the big picture I dont see anything wrong with
using a 0-day.

And here's why. There will always be 0-days, but you should have your
systems and network
set in such a way that you have controls in place for such an event.

For example, the ftp server gets hit with a 0day, do your controls alert you
that something went wrong? Does the service either fail, yes causing a
DoS but also
keeping from opening a gaping hole. Or does it detect its compromised
state and restart back to
a normal running state?

There will always be ways in, or people who give up to much information etc...
Thats why the need for multiple controls.

I wrote this with the OSSTMM controls in mind, im biased, im a
contributor to it, but its because
it just plain works.


Regards,
Chris

On Mon, Jan 12, 2009 at 8:32 AM, ArcSighter Elite <arcsighter@xxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi list.
I'm rather new to responsible disclosure, so experts may found silly my
question, but I've founded pretty interesting, so please keep reading.

A few days ago, I've identified a vulnerability in some closed-source
vendor's ftp server.
Then, days later I was requested to do pen-test against a company. While
I was information gathering, I've managed to identify that third-party
ftp daemon in one of the company's external hosts.
I wasn't pretty sure how to proceed in such a situation, but I've fal to
the temptation and exploited the flaw. That led to a 20-mins entire
network compromise, and of course proved that the network was vulnerable.
After doing that, and thinking about what I've done; I wasn't that happy
about my results.
First, I got the issue of how to report this vulnerability to the
company, without breaking the -intermediary- vendor contact and
agreement; because the vulnerability exists and its exploitable as I've
proved, but it wasn't general public knowledge the flaw is present.

I know I've braked a lot of phases of any pen-test framework, but IMHO a
blackhat will proceed exactly this way: they'll exploit the network
through its weakest link, and is my task to protect the company from the
blackhat, not from pen-testers (at least not the evil ones).

Secondly, the flaw provided me with enough information that otherwise
will take me a lot longer to achieve; so I felt the audit process has
been somehow compromised.

I think I've been clear enough, if I haven't just ask for more info.

What's the most ethical way to proceed in such a situation?

Sincerely.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJa0ZSH+KgkfcIQ8cRArj7AKD7hZCFOk+GBdkQ+v271wckKA8ECACgjWqR
U1rhxUzEw6Z+Q7P7Vxwe9mc=
=5m9Z
-----END PGP SIGNATURE-----






Relevant Pages

  • Re: Using 0days as part of pen-test?
    ... I've identified a vulnerability in some closed-source ... days later I was requested to do pen-test against a company. ... network compromise, and of course proved that the network was vulnerable. ... blackhat, not from pen-testers. ...
    (Pen-Test)
  • Re: Using 0days as part of pen-test?
    ... I've identified a vulnerability in some closed-source ... days later I was requested to do pen-test against a company. ... network compromise, and of course proved that the network was vulnerable. ... blackhat, not from pen-testers. ...
    (Pen-Test)
  • Using 0days as part of pen-test?
    ... I've identified a vulnerability in some closed-source ... days later I was requested to do pen-test against a company. ... network compromise, and of course proved that the network was vulnerable. ... blackhat, not from pen-testers. ...
    (Pen-Test)
  • Re: Using 0days as part of pen-test?
    ... And the point is to probe the network is vulnerable. ... I've identified a vulnerability in some closed-source ... days later I was requested to do pen-test against a company. ... blackhat, not from pen-testers. ...
    (Pen-Test)
  • Re: [Full-disclosure] When is it valid to claim that a vulnerability leads to a remote attack?
    ... should be categorized as "remote" in Risk/Impactt scoring systems? ... vulnerability in academic conversations, but I don't categorize it as ... by applying the internal controls in place that may mitigate a particular ... service that can be connected to by some other network client, device, ...
    (Full-Disclosure)