Penetration Testing mailing list archives
Re: Using 0days as part of pen-test?
From: David Howe <DaveHowe.Pentest () googlemail com>
Date: Tue, 13 Jan 2009 09:34:44 +0000
ArcSighter Elite wrote:
Hi list. I'm rather new to responsible disclosure, so experts may found silly my question, but I've founded pretty interesting, so please keep reading. A few days ago, I've identified a vulnerability in some closed-source vendor's ftp server. Then, days later I was requested to do pen-test against a company. While I was information gathering, I've managed to identify that third-party ftp daemon in one of the company's external hosts. I wasn't pretty sure how to proceed in such a situation, but I've fal to the temptation and exploited the flaw. That led to a 20-mins entire network compromise, and of course proved that the network was vulnerable. After doing that, and thinking about what I've done; I wasn't that happy about my results. First, I got the issue of how to report this vulnerability to the company, without breaking the -intermediary- vendor contact and agreement; because the vulnerability exists and its exploitable as I've proved, but it wasn't general public knowledge the flaw is present.
Do you have a remedial/workaround you can offer them? If so, all I can suggest is that you document it purely as "vulnerable to undisclosed attack <randomly chosen four digit number or embargoed CVE/CERT number>" and add the workaround; if they query it, just say that you are contractually obliged to not disclose the vulnerability, pending a vendor response and patch rollout. It can help if you can imply (without stating) that you are licensing undisclosed 0days (would that be a -1day?) and hence that your service offers a "deeper" check than you could get as a skilled amateur without "contacts" in the field.
I know I've braked a lot of phases of any pen-test framework, but IMHO a blackhat will proceed exactly this way: they'll exploit the network through its weakest link, and is my task to protect the company from the blackhat, not from pen-testers (at least not the evil ones).
The real question there though is that, modulo that 0day, could you have compromised their network? or did you drop everything else and rush in to expand your bridgehead?
Secondly, the flaw provided me with enough information that otherwise will take me a lot longer to achieve; so I felt the audit process has been somehow compromised.
Well, you should really eliminate any information you could not have gotten some other way, then do a review of their security on that basis; Really, the best *anyone* can do in a pentest is "without knowledge of vulnerabilities not known in the art (undisclosed 0days) this network is secure" and that is *always* true. For any network, however secure, there could (and will be) some as yet undocumented vulnerability that will render it a decorative bandaid not a security solution. Your dilemma really is that, on the basis of privileged information not available to an average attacker, you *can* compromise their network, and you (as a paid consultant) owe a duty of care to that customer to block or reduce that exposure as best you can; note that you can require (of your customer) that certain parts (or all) of the report be treated under NDA (that is routine anyhow) and usually, you can phrase the remedial action in a way as to make it hard to reverse-engineer the original 0day from it (recommending a substitute free ftp product if that is not a special case platform, even if only as a temporary solution until the vendor "catches up")
Current thread:
- Re: we are security critics was: Re: Using 0days as part of pen-test?, (continued)
- Re: we are security critics was: Re: Using 0days as part of pen-test? David Howe (Jan 17)
- Re: Using 0days as part of pen-test? Oliver Schad (Jan 15)
- Re: Using 0days as part of pen-test? Pete Herzog (Jan 17)
- Re: Using 0days as part of pen-test? David Howe (Jan 17)
- Re: Using 0days as part of pen-test? Oliver Schad (Jan 17)
- Re: Using 0days as part of pen-test? David Howe (Jan 20)
- Message not available
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? David Howe (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? Jeremy Brown (Jan 21)