Penetration Testing mailing list archives
Re: Using 0days as part of pen-test?
From: "Jason Ross" <algorythm () gmail com>
Date: Tue, 13 Jan 2009 09:57:08 -0500
ArcSighter Elite <arcsighter () gmail com> wrote:
A few days ago, I've identified a vulnerability in some closed-source vendor's ftp server. Then, days later I was requested to do pen-test against a company. While I was information gathering, I've managed to identify that third-party ftp daemon in one of the company's external hosts. I wasn't pretty sure how to proceed in such a situation, but I've fal to the temptation and exploited the flaw. That led to a 20-mins entire network compromise, and of course proved that the network was vulnerable. After doing that, and thinking about what I've done; I wasn't that happy about my results. First, I got the issue of how to report this vulnerability to the company, without breaking the -intermediary- vendor contact and agreement; because the vulnerability exists and its exploitable as I've proved, but it wasn't general public knowledge the flaw is present.
I think a way to report thiis could be via language something like this: "<tester> observed that <client> was running the <vendor> version of FTP server daemon. This server has a <type> vulnerability which allowed <tester> to compromise the integrity of the host. <tester> then performed the following steps to further compromise the network ..." My guess is that further details won't be necessary. If for some reason the client asks for more information, you will need to explain that you are unable to provide it at this time, as you are currently bound by a non-disclosure agreement with the vendor of that software to not release the details of the vulnerability until they have had a chance to patch it (I'm presuming that this is what you mean when you refer to 'the -intermediary- vendor contact'?). It's probably a good idea to assure them that you will provide full details as additional documentation once the information is released. This assurance is likely best done in writing. Another possibility is that you go back to the vendor of the FTP software and explain the situation to them. I would hope that any vendor would be willing to work with one of their customers to fix a security flaw. Perhaps they will permit you to disclose this information to their customer (your client); or perhaps they could work with your client to beta test the patch (if your client was so inclined). In fact, as I think about this, it's probably a very good idea to do this, even if you go with the above reporting option. It's extremely likely that your client will be contacting the FTP vendor to inquire of them when this vulnerability will be patched, etc.
I know I've braked a lot of phases of any pen-test framework, but IMHO a blackhat will proceed exactly this way: they'll exploit the network through its weakest link, and is my task to protect the company from the blackhat, not from pen-testers (at least not the evil ones).
Personally, I agree, depending on the scope of work. I don't think there was anything wrong with using your knowledge of the vulnerability in this test, provided that you have contacted the vendor of the software and are working with them to get it patched. The trick, as you've mentioned, is how to report the vulnerability to the client in an ethical way.
Secondly, the flaw provided me with enough information that otherwise will take me a lot longer to achieve; so I felt the audit process has been somehow compromised.
Why do you think this is the case? As long as you've thoroughly audited the remaining systems, I'm not sure what difference exploiting this FTP server made other than to make it easier, which is perfectly fine. If you left it at "pwnd!" once you exploited the FTP server, and then slacked off on the remaining testing, I would agree that the audit process has been compromised. However, you've not indicated such is the case. -- Jason
Current thread:
- Re: Using 0days as part of pen-test?, (continued)
- Re: Using 0days as part of pen-test? David Howe (Jan 17)
- Re: Using 0days as part of pen-test? Oliver Schad (Jan 17)
- Re: Using 0days as part of pen-test? David Howe (Jan 20)
- Message not available
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? David Howe (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? Jeremy Brown (Jan 21)
- RE: Using 0days as part of pen-test? Shenk, Jerry A (Jan 17)
- Re: Using 0days as part of pen-test? David Howe (Jan 20)