Penetration Testing mailing list archives
Re: Using 0days as part of pen-test?
From: Chris Griffin <chris () logossecurity com>
Date: Tue, 13 Jan 2009 06:03:07 -0500
Personally, looking at the big picture I dont see anything wrong with using a 0-day. And here's why. There will always be 0-days, but you should have your systems and network set in such a way that you have controls in place for such an event. For example, the ftp server gets hit with a 0day, do your controls alert you that something went wrong? Does the service either fail, yes causing a DoS but also keeping from opening a gaping hole. Or does it detect its compromised state and restart back to a normal running state? There will always be ways in, or people who give up to much information etc... Thats why the need for multiple controls. I wrote this with the OSSTMM controls in mind, im biased, im a contributor to it, but its because it just plain works. Regards, Chris On Mon, Jan 12, 2009 at 8:32 AM, ArcSighter Elite <arcsighter () gmail com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi list. I'm rather new to responsible disclosure, so experts may found silly my question, but I've founded pretty interesting, so please keep reading. A few days ago, I've identified a vulnerability in some closed-source vendor's ftp server. Then, days later I was requested to do pen-test against a company. While I was information gathering, I've managed to identify that third-party ftp daemon in one of the company's external hosts. I wasn't pretty sure how to proceed in such a situation, but I've fal to the temptation and exploited the flaw. That led to a 20-mins entire network compromise, and of course proved that the network was vulnerable. After doing that, and thinking about what I've done; I wasn't that happy about my results. First, I got the issue of how to report this vulnerability to the company, without breaking the -intermediary- vendor contact and agreement; because the vulnerability exists and its exploitable as I've proved, but it wasn't general public knowledge the flaw is present. I know I've braked a lot of phases of any pen-test framework, but IMHO a blackhat will proceed exactly this way: they'll exploit the network through its weakest link, and is my task to protect the company from the blackhat, not from pen-testers (at least not the evil ones). Secondly, the flaw provided me with enough information that otherwise will take me a lot longer to achieve; so I felt the audit process has been somehow compromised. I think I've been clear enough, if I haven't just ask for more info. What's the most ethical way to proceed in such a situation? Sincerely. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJa0ZSH+KgkfcIQ8cRArj7AKD7hZCFOk+GBdkQ+v271wckKA8ECACgjWqR U1rhxUzEw6Z+Q7P7Vxwe9mc= =5m9Z -----END PGP SIGNATURE-----
Current thread:
- Using 0days as part of pen-test? ArcSighter Elite (Jan 12)
- Re: Using 0days as part of pen-test? Chris Griffin (Jan 13)
- Re: Using 0days as part of pen-test? Pete Herzog (Jan 13)
- Re: Using 0days as part of pen-test? purdy (Jan 14)
- Re: Using 0days as part of pen-test? Oliver Schad (Jan 15)
- Re: Using 0days as part of pen-test? David Howe (Jan 15)
- we are security critics was: Re: Using 0days as part of pen-test? Pete Herzog (Jan 15)
- Re: we are security critics was: Re: Using 0days as part of pen-test? David Howe (Jan 17)
- Re: Using 0days as part of pen-test? purdy (Jan 14)
- Re: Using 0days as part of pen-test? Oliver Schad (Jan 15)
- Re: Using 0days as part of pen-test? Pete Herzog (Jan 17)
- Re: Using 0days as part of pen-test? David Howe (Jan 17)
- Re: Using 0days as part of pen-test? Oliver Schad (Jan 17)