RE: Using 0days as part of pen-test?

["Shenk, Jerry A" <jshenk () decommunications com>]

I think you definitely want to compromise the network and write up this
flaw but in my write-up, I'd include a reference that this is not a
widely known vulnerability.  I don't think I'd claim that I'm the only
person who knows it...it seems likely to me that somebody else does know
it but that they've chosen not announce it.

I guess it depends a little on the scope and/or rules of engagement.
Typically, I do not stop with a single exploit.  I've never worked one
where you just 0wn the network and then quit.


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of ArcSighter Elite
Sent: Monday, January 12, 2009 8:32 AM
To: pen-test list
Subject: Using 0days as part of pen-test?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi list.
I'm rather new to responsible disclosure, so experts may found silly my
question, but I've founded pretty interesting, so please keep reading.

A few days ago, I've identified a vulnerability in some closed-source
vendor's ftp server.
Then, days later I was requested to do pen-test against a company. While
I was information gathering, I've managed to identify that third-party
ftp daemon in one of the company's external hosts.
I wasn't pretty sure how to proceed in such a situation, but I've fal to
the temptation and exploited the flaw. That led to a 20-mins entire
network compromise, and of course proved that the network was
vulnerable.
After doing that, and thinking about what I've done; I wasn't that happy
about my results.
First, I got the issue of how to report this vulnerability to the
company, without breaking the -intermediary- vendor contact and
agreement; because the vulnerability exists and its exploitable as I've
proved, but it wasn't general public knowledge the flaw is present.

I know I've braked a lot of phases of any pen-test framework, but IMHO a
blackhat will proceed exactly this way: they'll exploit the network
through its weakest link, and is my task to protect the company from the
blackhat, not from pen-testers (at least not the evil ones).

Secondly, the flaw provided me with enough information that otherwise
will take me a lot longer to achieve; so I felt the audit process has
been somehow compromised.

I think I've been clear enough, if I haven't just ask for more info.

What's the most ethical way to proceed in such a situation?

Sincerely.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJa0ZSH+KgkfcIQ8cRArj7AKD7hZCFOk+GBdkQ+v271wckKA8ECACgjWqR
U1rhxUzEw6Z+Q7P7Vxwe9mc=
=5m9Z
-----END PGP SIGNATURE-----



**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which 
they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the 
intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the 
message. If you have received this communication in error, please notify the sender and delete this e-mail message. The 
contents do not represent the opinion of D&E except to the extent that it relates to their official business.