Re: Using 0days as part of pen-test?



Well I think that if you can identify a 0day, and you are able to exploit, then you have a plus over a lot of just-framework-pentesters, not trying to talk bad about anybody. And the point is to probe the network is vulnerable. I think it is ok to exploit 0days, but ofcourse you will explain that in the final report, and then you might do whatever you want with your research. Maybe, things will depend on the contract you sign with your customer about tecniques, procedures, and what kind of explotations you are allowed to test.

¡Saludos!
________________

Javier Reyna
CCSE WCSE ISS-CS NSP JNCIA-FWV
Consultor en Seguridad
jreyna@xxxxxxxxxxxxxx
www.onlinet.com.mx
,,__
o" )~
''''



ArcSighter Elite wrote:
Hi list.
I'm rather new to responsible disclosure, so experts may found silly my
question, but I've founded pretty interesting, so please keep reading.

A few days ago, I've identified a vulnerability in some closed-source
vendor's ftp server.
Then, days later I was requested to do pen-test against a company. While
I was information gathering, I've managed to identify that third-party
ftp daemon in one of the company's external hosts.
I wasn't pretty sure how to proceed in such a situation, but I've fal to
the temptation and exploited the flaw. That led to a 20-mins entire
network compromise, and of course proved that the network was vulnerable.
After doing that, and thinking about what I've done; I wasn't that happy
about my results.
First, I got the issue of how to report this vulnerability to the
company, without breaking the -intermediary- vendor contact and
agreement; because the vulnerability exists and its exploitable as I've
proved, but it wasn't general public knowledge the flaw is present.

I know I've braked a lot of phases of any pen-test framework, but IMHO a
blackhat will proceed exactly this way: they'll exploit the network
through its weakest link, and is my task to protect the company from the
blackhat, not from pen-testers (at least not the evil ones).

Secondly, the flaw provided me with enough information that otherwise
will take me a lot longer to achieve; so I felt the audit process has
been somehow compromised.

I think I've been clear enough, if I haven't just ask for more info.

What's the most ethical way to proceed in such a situation?

Sincerely.



Relevant Pages

  • Re: Using 0days as part of pen-test?
    ... I've identified a vulnerability in some closed-source ... days later I was requested to do pen-test against a company. ... network compromise, and of course proved that the network was vulnerable. ... blackhat, not from pen-testers. ...
    (Pen-Test)
  • Re: Using 0days as part of pen-test?
    ... I've identified a vulnerability in some closed-source ... days later I was requested to do pen-test against a company. ... network compromise, and of course proved that the network was vulnerable. ... blackhat, not from pen-testers. ...
    (Pen-Test)
  • [NT] CitectSCADA ODBC Service Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... are distributed in over 80 countries through a network of more than 500 ... A vulnerability was found in CitectSCADA that could allow a remote ...
    (Securiteam)
  • Using 0days as part of pen-test?
    ... I've identified a vulnerability in some closed-source ... days later I was requested to do pen-test against a company. ... network compromise, and of course proved that the network was vulnerable. ... blackhat, not from pen-testers. ...
    (Pen-Test)
  • Re: Using 0days as part of pen-test?
    ... For example, the ftp server gets hit with a 0day, do your controls alert you ... I've identified a vulnerability in some closed-source ... days later I was requested to do pen-test against a company. ... network compromise, and of course proved that the network was vulnerable. ...
    (Pen-Test)