Re: Using 0days as part of pen-test?

[Chris Griffin <chris () logossecurity com>]

Personally, looking at the big picture I dont see anything wrong with
using a 0-day.

And here's why. There will always be 0-days, but you should have your
systems and network
set in such a way that you have controls in place for such an event.

For example, the ftp server gets hit with a 0day, do your controls alert you
that something went wrong? Does the service either fail, yes causing a
DoS but also
keeping from opening a gaping hole. Or does it detect its compromised
state and restart back to
a normal running state?

There will always be ways in, or people who give up to much information etc...
Thats why the need for multiple controls.

I wrote this with the OSSTMM controls in mind, im biased, im a
contributor to it, but its because
it just plain works.


Regards,
Chris

On Mon, Jan 12, 2009 at 8:32 AM, ArcSighter Elite <arcsighter () gmail com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi list.
> I'm rather new to responsible disclosure, so experts may found silly my
> question, but I've founded pretty interesting, so please keep reading.
>
> A few days ago, I've identified a vulnerability in some closed-source
> vendor's ftp server.
> Then, days later I was requested to do pen-test against a company. While
> I was information gathering, I've managed to identify that third-party
> ftp daemon in one of the company's external hosts.
> I wasn't pretty sure how to proceed in such a situation, but I've fal to
> the temptation and exploited the flaw. That led to a 20-mins entire
> network compromise, and of course proved that the network was vulnerable.
> After doing that, and thinking about what I've done; I wasn't that happy
> about my results.
> First, I got the issue of how to report this vulnerability to the
> company, without breaking the -intermediary- vendor contact and
> agreement; because the vulnerability exists and its exploitable as I've
> proved, but it wasn't general public knowledge the flaw is present.
>
> I know I've braked a lot of phases of any pen-test framework, but IMHO a
> blackhat will proceed exactly this way: they'll exploit the network
> through its weakest link, and is my task to protect the company from the
> blackhat, not from pen-testers (at least not the evil ones).
>
> Secondly, the flaw provided me with enough information that otherwise
> will take me a lot longer to achieve; so I felt the audit process has
> been somehow compromised.
>
> I think I've been clear enough, if I haven't just ask for more info.
>
> What's the most ethical way to proceed in such a situation?
>
> Sincerely.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFJa0ZSH+KgkfcIQ8cRArj7AKD7hZCFOk+GBdkQ+v271wckKA8ECACgjWqR
> U1rhxUzEw6Z+Q7P7Vxwe9mc=
> =5m9Z
> -----END PGP SIGNATURE-----