Re: Using 0days as part of pen-test?

[Aarón Mizrachi <unmanarc () gmail com>]

El Monday 19 January 2009 10:04:52 escribió:
> Shenk, Jerry A wrote:
> > I'm not sure I agree with this statement.  If I'm testing a client's
> > app and I find a vulnerability, I don't have any ethical requirement
> > NOT to tell them.  In fact, they are paying me so it seem like the
> > (to a degree) own the results of my testing.  In fact, I would give
> > the client the option to determine how the vendor gets notified. I've
> > typically given the client full information and let them notify the
> > vendor and call me in if needed.
>
> Seconded. You have no legal requirement (although it's Best Practice) to
> follow the Responsible Disclosure procedures, but you can make a
> reasonable case that, if you are being paid by your client and not the
> software vendor, that you have a duty to disclose any or all material
> vulnerability information (under NDA if appropriate) you discover during
> your investigation.

ok, i agree with  your legal statement.

The legal issue isn't the disclosure process, you can act as "legal entity" 
using the company, and "the company" discover the vulnerability... 

But the ethical issue... it differs between point of views. I think that  
disclosure process was not made for share "how to exploit" information to 
others... The disclosure process just are designed to avoid and minimize 
security threats (security by obscurity) until the vendor release a patch.

There are too many obscure scenarios of information leakage and exploiting... 
(corporate spy,  sabotage, criminal organizations, etc). Ethically we must 
follow the Responsible Disclosure procedure to prevent leaks (even if you 
signed an NDA). 

On my responsible point of view, i can disclose (to my contractor) sufficient 
information of the vulnerability to understand risks and howto protect their 
systems... But, i will not release a full-disclosure until vendor patch's are 
done. Then, you can sleep deeply thinking that your exploit wont be used in 
malicious ways and the company are safetly secured.

The pentest audit are intended to prove and discover internal vulns,  and our 
final objetive is to protect. Our duty is to protect. And we are contracted to 
protect.

> I know a lot of vendors try the "no announcements, no disclosures, no
> reviews without permission" approach, but that isn't binding on you
> unless you are *their* customer - of course, you can (and they probably
> will) try claiming that the agreement is binding on subcontractors of
> customers, but I doubt they can claim that holds true when communicating
> your "concerns" to your employer (i.e. if your only duty of
> non-disclosure is as an employee of 'x', then disclosing to 'x' can't
> possibly be in violation of that duty, as you are an employee of 'x' and
> therefore any info is already the property of 'x' - they can't have it
> both ways)

The problem is how did you find and exploit those vulns? giving to the app a 
random or predictable test conditions or debugging the app?. 

EULA Reverse Engineering Example... 

g. Reservation of Rights; Other Restrictions.  The Software is protected by 
copyright and other intellectual property laws and treaties.  Microsoft or its 
suppliers own the title, copyright, and other intellectual property rights in 
the Software.  The Software is licensed, not sold.  Microsoft reserves all 
rights not expressly granted to you in this EULA.  Notwithstanding any other 
provision in this EULA, neither this EULA nor any CAL grants a license, under 
any Microsoft intellectual property, to implement any functionality contained 
in the Software (including without limitation communication protocols used by 
the Software) in any software installed on a Device accessing or utilizing the 
Server Software.  Reverse engineering, decompiling, or disassembling the 
Software is prohibited, except and only to the extent that such activity is 
expressly permitted by applicable law notwithstanding this limitation. 
Renting, leasing, or lending the Software (including providing commercial 
hosting services) is also prohibited.  

------------------------------------------------------------------------------------------------