Re: Using 0days as part of pen-test?

[ArcSighter Elite <arcsighter () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Comment embed below.

Jason Ross wrote:

> I think a way to report thiis could be via language something like this:
>
> "<tester> observed that <client> was running the <vendor> version
> of FTP server daemon. This server has a <type> vulnerability which
> allowed <tester> to compromise the integrity of the host. <tester> then
> performed the following steps to further compromise the network ..."
>
> My guess is that further details won't be necessary. If for some reason
> the client asks for more information, you will need to explain that you
> are unable to provide it at this time, as you are currently bound by
> a non-disclosure agreement with the vendor of that software to not
> release the details of the vulnerability until they have had a chance to
> patch it (I'm presuming that this is what you mean when you refer to
> 'the -intermediary- vendor contact'?).

That will prove to be enough for a report to the client about the issue.
Thanks.

> It's probably a good idea to assure them that you will provide full
> details as additional documentation once the information is released.
> This assurance is likely best done in writing.

Of course I will, once the vuln is public.

> Another possibility is that you go back to the vendor of the FTP
> software and explain the situation to them. I would hope that any
> vendor would be willing to work with one of their customers to fix
> a security flaw. Perhaps they will permit you to disclose this
> information to their customer (your client); or perhaps they could
> work with your client to beta test the patch (if your client was so
> inclined).

As I said, I'm neither not in direct contact with the vendor, nor
willing to.

> In fact, as I think about this, it's probably a very good idea to do
> this, even if you go with the above reporting option. It's extremely
> likely that your client will be contacting the FTP vendor to inquire
> of them when this vulnerability will be patched, etc.
>
>
> > I know I've braked a lot of phases of any pen-test framework, but IMHO a
> > blackhat will proceed exactly this way: they'll exploit the network
> > through its weakest link, and is my task to protect the company from the
> > blackhat, not from pen-testers (at least not the evil ones).
>
> Personally, I agree, depending on the scope of work.
>
> I don't think there was anything wrong with using your knowledge of
> the vulnerability in this test, provided that you have contacted the
> vendor of the software and are working with them to get it patched.
>
> The trick, as you've mentioned, is how to report the vulnerability to
> the client in an ethical way.
>
> > Secondly, the flaw provided me with enough information that otherwise
> > will take me a lot longer to achieve; so I felt the audit process has
> > been somehow compromised.
>
> Why do you think this is the case? As long as you've thoroughly audited
> the remaining systems, I'm not sure what difference exploiting this FTP
> server made other than to make it easier, which is perfectly fine.
I meant to say that the vulnerability and the further network
compromises provided me valuable information that otherwise will take a
lot longer to acquire, that goes from network infrastructure, to
usernames and passwords.

> If you left it at "pwnd!" once you exploited the FTP server, and then
> slacked off on the remaining testing, I would agree that the audit process
> has been compromised. However, you've not indicated such is the case.
>
> --
> Jason

Of course i haven't. The audit as I said is far from complete.
Thanks.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkltAagACgkQH+KgkfcIQ8c7XwCfSMHuPb8CJnlkZQo0CHzN5jaT
UgEAn15nUH45UdzQueqHy22XOwO9ib0L
=/eKw
-----END PGP SIGNATURE-----