Penetration Testing mailing list archives
Re: Using 0days as part of pen-test?
From: "Paul Melson" <pmelson () gmail com>
Date: Tue, 13 Jan 2009 07:11:11 -0500
On Mon, Jan 12, 2009 at 8:32 AM, ArcSighter Elite <arcsighter () gmail com> wrote:
A few days ago, I've identified a vulnerability in some closed-source vendor's ftp server. Then, days later I was requested to do pen-test against a company. While I was information gathering, I've managed to identify that third-party ftp daemon in one of the company's external hosts. I wasn't pretty sure how to proceed in such a situation, but I've fal to the temptation and exploited the flaw. That led to a 20-mins entire network compromise, and of course proved that the network was vulnerable. After doing that, and thinking about what I've done; I wasn't that happy about my results. First, I got the issue of how to report this vulnerability to the company, without breaking the -intermediary- vendor contact and agreement; because the vulnerability exists and its exploitable as I've proved, but it wasn't general public knowledge the flaw is present. I know I've braked a lot of phases of any pen-test framework, but IMHO a blackhat will proceed exactly this way: they'll exploit the network through its weakest link, and is my task to protect the company from the blackhat, not from pen-testers (at least not the evil ones).
In my opinion, this is more than acceptable. If you do a pen-test and find previously unpublished vulnerabilities, you should absolutely test for that vulnerability in subsequent pen-tests. There are two reasons for this. First and foremost is that it is the responsible and ethical thing to do for your clients. To pretend one client is vulnerable but another is not because you're still engaged with the first client in remediation with the vendor is unfair to the second client, and in my mind borders on unethical behavior. The second reason is that the more the customers the vendor hears from, the more likely they are to issue a patch. If this happens in the framework of a pen-testing NDA and you agree to work on behalf of both clients with the vendor (hopefully you can bill T&M for this, yes?), then this shouldn't be a problem. This is only a problem for you if during vendor discussions on behalf of the first client you agreed not to disclose the vulnerability to anyone else. But, hey, stuff happens and software vendors aren't your customers. Also remember that it is perfectly OK to recommend that a client switch software because of a lousy vendor response. Oh, and a third reason. Customers like 0days. It makes them feel like they got their money's worth. It keeps you from being replaced by Qualys or some discount poseur with Nessus (right Adriel? :-) )
Secondly, the flaw provided me with enough information that otherwise will take me a lot longer to achieve; so I felt the audit process has been somehow compromised.
If there's other testing that you would've done and you're not already over on hours, you should do it. That's just good business. But if you've completed the testing according to the defined scope of work, and been successful with your test, there's no reason to feel guilty because it was easy for you. Enjoy it now, because in the coming months, you'll probably catch a project where you go over hours banging your head against the wall. Ebb and flow. Yin and Yang. PaulM
Current thread:
- Re: Using 0days as part of pen-test?, (continued)
- Message not available
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Message not available
- Re: Using 0days as part of pen-test? Javier Reyna Padilla (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- RE: Using 0days as part of pen-test? Shenk, Jerry A (Jan 13)
- Re: Using 0days as part of pen-test? David Howe (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? David Howe (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? Jason Ross (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? Dotzero (Jan 13)
- Re: Using 0days as part of pen-test? Paul Melson (Jan 13)
- Re: Using 0days as part of pen-test? Aarón Mizrachi (Jan 14)
- Re: Using 0days as part of pen-test? Morning Wood (Jan 21)
- Re: Using 0days as part of pen-test? Jeremy Brown (Jan 21)
- Using 0days as part of pen-test? christopher . riley (Jan 13)
- Re: Using 0days as part of pen-test? Aarón Mizrachi (Jan 15)
- RE: Using 0days as part of pen-test? Shenk, Jerry A (Jan 17)
- Re: Using 0days as part of pen-test? David Howe (Jan 20)
- Re: Using 0days as part of pen-test? Aarón Mizrachi (Jan 20)
- Re: Using 0days as part of pen-test? David Howe (Jan 20)
- RE: Using 0days as part of pen-test? Shenk, Jerry A (Jan 17)