Re: Using 0days as part of pen-test?

[purdy () tecman com]

Good points Pete. But since the sub: caught my attention, I thought I would point out (if it has not already been done) 
that 0-day tests, by definition, cannot test anything other than the quality of the anomaly-based detection system.  I 
wonder how many readers here have actually come up against a 0-day.  It is mighty scary (particularly if it is a worm 
taking down another mission-critical server every minute. All the experience in the world is for naught; the only thing 
that can save you is your own deductive problem-solving abilities.

Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA
purdy () tecman com

-----Original Message-----
From: "Pete Herzog" <lists () isecom org>
Sent: Tuesday, January 13, 2009 10:42am
To: "ArcSighter Elite" <arcsighter () gmail com>
Cc: "pen-test list" <pen-test () securityfocus com>
Subject: Re: Using 0days as part of pen-test?

Hi,

I think you don't have any problems except if you performed actions 
outside the statement of work, the contract, or the scope or live in 
France.  As I can see it:

1. By penetrating in you were able to see more of the infrastructure 
and make a better analysis of what is there and what its limitations 
are so you did a good thing. Not to mention by saving time with that 
you had time to be much more thorough, test from various vectors, and 
give a real value for the test.

2. You researched and used a flaw which is your information now and 
you are free to use it to make money as long as you did not sign a 
contract with the service owner preventing you from investigating nor 
testing the software - or are in France. If the FTP service owner does 
not have you on the payroll to do their Q&A then you owe them nothing.

3. Others are free to research that FTP service as well and find the 
bug as well. Don't be sure you are the only one with it.

4. Report to the client your complete security test audit report 
showing what they have and the limitations. You can use your attack as 
proof that they are running a service without controls and what you 
can do with it. Such proof is good to push quick action but the rest 
of your report showing the lack of controls will be what really helps 
them lock down.

5. That you did what a Blackhat might do is not a problem because you 
were under contract and really, there are many types of Blackhats and 
your modus operandi just follows one type. (see the Hacker Profiling 
Project from ISECOM).

6. If you are in France, well, be happy because many other people are 
trying to get there as well and you're already there. So forget the 
pen test and live it up like a tourist in France!

Sincerely,
-pete.


ArcSighter Elite wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi list.
> I'm rather new to responsible disclosure, so experts may found silly my
> question, but I've founded pretty interesting, so please keep reading.
>
> A few days ago, I've identified a vulnerability in some closed-source
> vendor's ftp server.
> Then, days later I was requested to do pen-test against a company. While
> I was information gathering, I've managed to identify that third-party
> ftp daemon in one of the company's external hosts.
> I wasn't pretty sure how to proceed in such a situation, but I've fal to
> the temptation and exploited the flaw. That led to a 20-mins entire
> network compromise, and of course proved that the network was vulnerable.
> After doing that, and thinking about what I've done; I wasn't that happy
> about my results.
> First, I got the issue of how to report this vulnerability to the
> company, without breaking the -intermediary- vendor contact and
> agreement; because the vulnerability exists and its exploitable as I've
> proved, but it wasn't general public knowledge the flaw is present.
>
> I know I've braked a lot of phases of any pen-test framework, but IMHO a
> blackhat will proceed exactly this way: they'll exploit the network
> through its weakest link, and is my task to protect the company from the
> blackhat, not from pen-testers (at least not the evil ones).
>
> Secondly, the flaw provided me with enough information that otherwise
> will take me a lot longer to achieve; so I felt the audit process has
> been somehow compromised.
>
> I think I've been clear enough, if I haven't just ask for more info.
>
> What's the most ethical way to proceed in such a situation?
>
> Sincerely.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFJa0ZSH+KgkfcIQ8cRArj7AKD7hZCFOk+GBdkQ+v271wckKA8ECACgjWqR
> U1rhxUzEw6Z+Q7P7Vxwe9mc=
> =5m9Z
> -----END PGP SIGNATURE-----