Re: Using 0days as part of pen-test?

["Jason Ross" <algorythm () gmail com>]

ArcSighter Elite <arcsighter () gmail com> wrote:

> A few days ago, I've identified a vulnerability in some closed-source
> vendor's ftp server.
> Then, days later I was requested to do pen-test against a company. While
> I was information gathering, I've managed to identify that third-party
> ftp daemon in one of the company's external hosts.
> I wasn't pretty sure how to proceed in such a situation, but I've fal to
> the temptation and exploited the flaw. That led to a 20-mins entire
> network compromise, and of course proved that the network was vulnerable.
> After doing that, and thinking about what I've done; I wasn't that happy
> about my results.
> First, I got the issue of how to report this vulnerability to the
> company, without breaking the -intermediary- vendor contact and
> agreement; because the vulnerability exists and its exploitable as I've
> proved, but it wasn't general public knowledge the flaw is present.

I think a way to report thiis could be via language something like this:

"<tester> observed that <client> was running the <vendor> version
of FTP server daemon. This server has a <type> vulnerability which
allowed <tester> to compromise the integrity of the host. <tester> then
performed the following steps to further compromise the network ..."

My guess is that further details won't be necessary. If for some reason
the client asks for more information, you will need to explain that you
are unable to provide it at this time, as you are currently bound by
a non-disclosure agreement with the vendor of that software to not
release the details of the vulnerability until they have had a chance to
patch it (I'm presuming that this is what you mean when you refer to
'the -intermediary- vendor contact'?).

It's probably a good idea to assure them that you will provide full
details as additional documentation once the information is released.
This assurance is likely best done in writing.

Another possibility is that you go back to the vendor of the FTP
software and explain the situation to them. I would hope that any
vendor would be willing to work with one of their customers to fix
a security flaw. Perhaps they will permit you to disclose this
information to their customer (your client); or perhaps they could
work with your client to beta test the patch (if your client was so
inclined).

In fact, as I think about this, it's probably a very good idea to do
this, even if you go with the above reporting option. It's extremely
likely that your client will be contacting the FTP vendor to inquire
of them when this vulnerability will be patched, etc.


> I know I've braked a lot of phases of any pen-test framework, but IMHO a
> blackhat will proceed exactly this way: they'll exploit the network
> through its weakest link, and is my task to protect the company from the
> blackhat, not from pen-testers (at least not the evil ones).

Personally, I agree, depending on the scope of work.

I don't think there was anything wrong with using your knowledge of
the vulnerability in this test, provided that you have contacted the
vendor of the software and are working with them to get it patched.

The trick, as you've mentioned, is how to report the vulnerability to
the client in an ethical way.

> Secondly, the flaw provided me with enough information that otherwise
> will take me a lot longer to achieve; so I felt the audit process has
> been somehow compromised.

Why do you think this is the case? As long as you've thoroughly audited
the remaining systems, I'm not sure what difference exploiting this FTP
server made other than to make it easier, which is perfectly fine.

If you left it at "pwnd!" once you exploited the FTP server, and then
slacked off on the remaining testing, I would agree that the audit process
has been compromised. However, you've not indicated such is the case.

--
Jason