Penetration Testing mailing list archives
Re: Using 0days as part of pen-test?
From: ArcSighter Elite <arcsighter () gmail com>
Date: Tue, 13 Jan 2009 16:03:51 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Comment embed below. Jason Ross wrote:
I think a way to report thiis could be via language something like this: "<tester> observed that <client> was running the <vendor> version of FTP server daemon. This server has a <type> vulnerability which allowed <tester> to compromise the integrity of the host. <tester> then performed the following steps to further compromise the network ..." My guess is that further details won't be necessary. If for some reason the client asks for more information, you will need to explain that you are unable to provide it at this time, as you are currently bound by a non-disclosure agreement with the vendor of that software to not release the details of the vulnerability until they have had a chance to patch it (I'm presuming that this is what you mean when you refer to 'the -intermediary- vendor contact'?).
That will prove to be enough for a report to the client about the issue. Thanks.
It's probably a good idea to assure them that you will provide full details as additional documentation once the information is released. This assurance is likely best done in writing.
Of course I will, once the vuln is public.
Another possibility is that you go back to the vendor of the FTP software and explain the situation to them. I would hope that any vendor would be willing to work with one of their customers to fix a security flaw. Perhaps they will permit you to disclose this information to their customer (your client); or perhaps they could work with your client to beta test the patch (if your client was so inclined).
As I said, I'm neither not in direct contact with the vendor, nor willing to.
In fact, as I think about this, it's probably a very good idea to do this, even if you go with the above reporting option. It's extremely likely that your client will be contacting the FTP vendor to inquire of them when this vulnerability will be patched, etc.I know I've braked a lot of phases of any pen-test framework, but IMHO a blackhat will proceed exactly this way: they'll exploit the network through its weakest link, and is my task to protect the company from the blackhat, not from pen-testers (at least not the evil ones).Personally, I agree, depending on the scope of work. I don't think there was anything wrong with using your knowledge of the vulnerability in this test, provided that you have contacted the vendor of the software and are working with them to get it patched. The trick, as you've mentioned, is how to report the vulnerability to the client in an ethical way.Secondly, the flaw provided me with enough information that otherwise will take me a lot longer to achieve; so I felt the audit process has been somehow compromised.Why do you think this is the case? As long as you've thoroughly audited the remaining systems, I'm not sure what difference exploiting this FTP server made other than to make it easier, which is perfectly fine.
I meant to say that the vulnerability and the further network compromises provided me valuable information that otherwise will take a lot longer to acquire, that goes from network infrastructure, to usernames and passwords.
If you left it at "pwnd!" once you exploited the FTP server, and then slacked off on the remaining testing, I would agree that the audit process has been compromised. However, you've not indicated such is the case. -- Jason
Of course i haven't. The audit as I said is far from complete. Thanks. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkltAagACgkQH+KgkfcIQ8c7XwCfSMHuPb8CJnlkZQo0CHzN5jaT UgEAn15nUH45UdzQueqHy22XOwO9ib0L =/eKw -----END PGP SIGNATURE-----
Current thread:
- Re: Using 0days as part of pen-test?, (continued)
- Re: Using 0days as part of pen-test? Oliver Schad (Jan 17)
- Re: Using 0days as part of pen-test? David Howe (Jan 20)
- Message not available
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? David Howe (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? Jeremy Brown (Jan 21)
- RE: Using 0days as part of pen-test? Shenk, Jerry A (Jan 17)
- Re: Using 0days as part of pen-test? David Howe (Jan 20)
- Re: Using 0days as part of pen-test? Aarón Mizrachi (Jan 20)