Larry Cashdollar from Akamai talked about his first CVE experience back in 1999 and how the experience played out his career path in Cyber Security.
According to Larry, his first CVE was conducted without permission. He was working as a Linux system admin for Bath Iron Works under contract by Computer Sciences Corporation. They had a SGI Onyx/2 machine room that was allowed to only a few senior members. One day, one of the senior members taunted the junior team members that they would get the access to the room if they get the root access to the machine. There he started his first pen testing to get the root access to the Onyx machine following steps below without any permission.
1. Went to /usr/sbin to look for setuid binaries.
2. Found "Midikeys" file which has setuid bit set on it and ran it.
3. Opened up the password file and put a zero in his user ID and saved it and then logged in again.
4. Logged into the Onyx's LP, forward an x window back to his machine and forward back a -execute the Midikeys, bring it up, open up /etc/password, created a "Larry" account, made the user id"0"
5. Got a root prompt.
6. Changed the root password to CTRL-D by accident thinking he was changing the password for "Larry."
Larry was panicked after this incident and tried to inform the admin on the password change but he was in the middle of giving a demo to Navy admiral and upper managements. Luckily, the admin was able to change the password.
Despite the ominous incident, he got the legitimacy to conduct pen testing instead of being fired from the position.
He sent the CVE to Bugtraq, which is a network security notification system people used in the late 90s, and there were over 230 CVEs he had posted since then.
While working for Akamai CERT he started look at WordPress plugins and found lots of vulnerabilities. These days, he finds vulnerabilities in Web applications and a /temp race condition vulnerability for Solaris 11x86, where one of their utilities would create a file in /temp and then you get root access by using chmod /etc/shadow and then change the password.
The advice Larry would like to give for the students and the junior Cyber Security professionals is first, don't be afraid to fail. You learn from your failures. Second, don't lose your traction for learning new stuff. Lastly, don't do anything illegal. Make sure you get permission to do stuff.
https://thecyberwire.com/podcasts/research-saturday/160/notes
Click below for more information on the race condition venerability.
No comments:
Post a Comment