Re: Using 0days as part of pen-test?

[Dotzero <dotzero () gmail com>]

On Mon, Jan 12, 2009 at 8:32 AM, ArcSighter Elite <arcsighter () gmail com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi list.
> I'm rather new to responsible disclosure, so experts may found silly my
> question, but I've founded pretty interesting, so please keep reading.
>
> A few days ago, I've identified a vulnerability in some closed-source
> vendor's ftp server.
> Then, days later I was requested to do pen-test against a company. While
> I was information gathering, I've managed to identify that third-party
> ftp daemon in one of the company's external hosts.
> I wasn't pretty sure how to proceed in such a situation, but I've fal to
> the temptation and exploited the flaw. That led to a 20-mins entire
> network compromise, and of course proved that the network was vulnerable.
> After doing that, and thinking about what I've done; I wasn't that happy
> about my results.
> First, I got the issue of how to report this vulnerability to the
> company, without breaking the -intermediary- vendor contact and
> agreement; because the vulnerability exists and its exploitable as I've
> proved, but it wasn't general public knowledge the flaw is present.
>
> I know I've braked a lot of phases of any pen-test framework, but IMHO a
> blackhat will proceed exactly this way: they'll exploit the network
> through its weakest link, and is my task to protect the company from the
> blackhat, not from pen-testers (at least not the evil ones).
>
> Secondly, the flaw provided me with enough information that otherwise
> will take me a lot longer to achieve; so I felt the audit process has
> been somehow compromised.
>
> I think I've been clear enough, if I haven't just ask for more info.
>
> What's the most ethical way to proceed in such a situation?
>
> Sincerely.

The first question is whether you found any other vulnerabilities. Did
you even look for other vulnerabilities or ways into their network? Is
your goal to act simply like a "blackhat" or is it to help your client
understand their risk/vulnerability profile so they can address
issues?

You indicate you felt the audit process was compromised. I think you
have answered your own question.

With regard to the specific issue of the FTP vulnerability. You can
report to your client that the software is vulnerable, the software is
closed source and therefore will be vulnerable until the vendor issues
a patch. You can contact the vendor and report the issue and indicate
that one of your clients for which you ran a pentest has the software
installed in their environment.

Hope this helps.