Re: Using 0days as part of pen-test?

[Jeremy Brown <0xjbrown41 () gmail com>]

Thinking about if 0days are allowed.. what about findings from fuzzing?

On Wed, Jan 21, 2009 at 2:34 PM, Morning Wood <se_cur_ity () hotmail com> wrote:
> the question(s) to ask is...
>
> do the bad guys have this exploit?
> can the bad guys reach the target?
>
> if there is low hanging fruit on a tertiary machine, that allows more
> leverage against the target...
>
> will the bad guys not use this vector?
>
> answering yes to any of the above will help you determine the severity, and
> quantifiability to you.
>
> remember.. you are being paid to be the "bad guy"
>
>
> ----- Original Message ----- From: "ArcSighter Elite" <arcsighter () gmail com>
> To: "pen-test list" <pen-test () securityfocus com>
> Sent: Monday, January 12, 2009 5:32 AM
> Subject: Using 0days as part of pen-test?
>
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hi list.
> > I'm rather new to responsible disclosure, so experts may found silly my
> > question, but I've founded pretty interesting, so please keep reading.
> >
> > A few days ago, I've identified a vulnerability in some closed-source
> > vendor's ftp server.
> > Then, days later I was requested to do pen-test against a company. While
> > I was information gathering, I've managed to identify that third-party
> > ftp daemon in one of the company's external hosts.
> > I wasn't pretty sure how to proceed in such a situation, but I've fal to
> > the temptation and exploited the flaw. That led to a 20-mins entire
> > network compromise, and of course proved that the network was vulnerable.
> > After doing that, and thinking about what I've done; I wasn't that happy
> > about my results.
> > First, I got the issue of how to report this vulnerability to the
> > company, without breaking the -intermediary- vendor contact and
> > agreement; because the vulnerability exists and its exploitable as I've
> > proved, but it wasn't general public knowledge the flaw is present.
> >
> > I know I've braked a lot of phases of any pen-test framework, but IMHO a
> > blackhat will proceed exactly this way: they'll exploit the network
> > through its weakest link, and is my task to protect the company from the
> > blackhat, not from pen-testers (at least not the evil ones).
> >
> > Secondly, the flaw provided me with enough information that otherwise
> > will take me a lot longer to achieve; so I felt the audit process has
> > been somehow compromised.
> >
> > I think I've been clear enough, if I haven't just ask for more info.
> >
> > What's the most ethical way to proceed in such a situation?
> >
> > Sincerely.
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.6 (GNU/Linux)
> >
> > iD8DBQFJa0ZSH+KgkfcIQ8cRArj7AKD7hZCFOk+GBdkQ+v271wckKA8ECACgjWqR
> > U1rhxUzEw6Z+Q7P7Vxwe9mc=
> > =5m9Z
> > -----END PGP SIGNATURE-----