Edge Articles

10/16/2020
03:15 PM
Curtis Franklin Jr.
Curtis Franklin Jr.
Edge Features

An Uncommon 20 Years of Commonly Enumerating Vulns

Larry Cashdollar, a researcher with more than 300 CVEs to his credit, looks back at his favorite vulnerabilities (and being the only individual CNA on Mitre's list).



Larry Cashdollar needed someone big -- someone not afraid of physical retribution. So he called Donovan, an imposing figure at six-four. And Cashdollar says, "I made a mistake."

At the time, Cashdollar, now a senior researcher at Akamai, was a Unix system administrator at Computer Sciences Corp. under contract at Bath Iron Works. The mistake Cashdollar had made was exploiting a vulnerability in a program called "midikeys," inadvertently changing the root password on an SGI Onyx graphics system just when the engineers had begun giving a demo of the Onyx to a Navy admiral. Donovan's job was to go into the room and tell the Bath Iron Works engineers the new password.

Related Content:

A Hacker's Playlist

5 Security Lessons Humans Can Learn From Their Dogs

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: What's Really Happening in Infosec Hiring Now?

Cashdollar's career survived the incident and took off with what turned out to be his first published Common Vulnerability Enumerator, or CVE. Now, with more than 300 published CVEs to his credit, Cashdollar can look back at his early days in computer security with less panic than during that first incident.

The Birth of the CVE
In January 1999, David E. Mann and Steven M. Christey, who both worked at Mitre, presented a paper titled "
Towards a Common Enumeration of Vulnerabilities." Before that, "there was no unique way to determine a vulnerability in the system," Cashdollar says. "You know, there was Buffer Overflow and sendmail."

And one of the problems was that it was difficult to know whether a vulnerability one researcher was describing had already been found and described by another researcher.

The idea of a common "language" for researchers and system administrators to use appealed to Cashdollar. The idea of being able to claim one of these published vulnerabilities as his own also appealed.

"When CVEs came around, I was like, wow, you know, I would love to find a vulnerability in something," he says.

Cashdollar's Favorite CVEs

CVE-1999-0765

/usr/sbin/midikeys used to get local root access. I used this to get root access to a $250k-500k SGI Onyx/2 and accidentally screw up a demo of the Aegis destroyer for a Navy admiral.

CVE-2000-0588 & CVE-2000-0589

Sawmill weak encryption scheme and path traversal. I used this to hack into the vendor's website and reveal his admin password to him. He gave me a free license for the software.

CVE-2008-0525

Local root in patchlink patch management software. My father was a system administrator for TD Bank north in 2008 and during a vulnerability review meeting with his team, the presenter covered this CVE as this software was in use at the bank. When his teammates saw my name they asked my father if it was him and he was like "No, that's my son." His co-workers, I guess, filled the room with ooh and ahhs. He said he was so proud.

CVE-2012-6348

Centrify local root. I was sent to a Centrify class in December 2012 in Manhattan and spent my lunch finding some vulnerabilities in the software. Then I dropped the 0day on BugTraq and ended up ruining a weekend for a bunch of developers. This is when I realized I need to be responsible in my disclosures.

CVE-2018-9206

Blueimp jQuery file upload vulnerability. This was found while I was stuck in my hotel room. I didn’t realize how widespread this software was until a colleague pointed out the github repo had been forked 7,800 times and favorited 30,000 times. It was the #2 most popular repo on github at the time.

Of course, in the early days of CVEs a researcher didn't just submit a vulnerability to Mitre for inclusion.

"You didn't file for a CVE; you published it on a security mailing list and somebody from Mitre who might think that your vulnerability was worthy of a CVE would assign one," Cashdollar says. "When you put them on the BugTraq list back in the 1990s, there would be someone who would test your work, verify it, and people that would go through and sort of verify if your claim was true. So there were all people sort of analyzing my vulnerability, and it was it was kind of neat."

"Later I was looking on BugTraq for the midikeys thing again. And I noticed that Mitre had assigned a vulnerability or CVE ID to it," Cashdollar says.

He was happy and excited that he could now claim with legitimacy to have found a vulnerability. He decided then that if he ever reached the goal of 10 published CVEs, he would have a T-shirt printed to mark the occasion. Now, he says, "I have more than 10 and I still haven't made a T-shirt."

A Number of His Own
By 2016, the process had become more regular, but the system was in danger of being overwhelmed by all the vulnerabilities being found in various systems and applications. Cashdollar says it reached a point where researchers were noticing the delay in getting CVEs assigned and published.  

Around this time, Cashdollar started conversations with Kurt Seifried of RedHat about options -- conversations that led to Seifried developing Distributed Weakness Filings (DWF), an open source version of the CVE. The DWF ultimately worked in cooperation with Mitre to become a Certified Numbering Authority (CNA), issuing CVEs on open-source projects within the overall CVE system.

Cashdollar also received an invitation to talk about CVEs with Mitre. When he went to their campus, "They were fleshing out the becoming a CNA so you could actually become your own CVE assigner," he says, "where they would give you a block of CVEs and you would be able to assign CVEs to your own vulnerabilities on this block that they had preassigned or dedicated to you."

During the meeting, "They told me, we're going to make you the first researcher certified numbering authority for Mitre and we're going to see how this goes. You're going to be our guinea pig. And I'm like, OK, that sounds like fun," he says.

Today, there are 161 CNAs, of which 127 are vendors and project, and 22 are researchers. Scrolling through Mitre's list of CNAs, Cashdollar is the only individual to be found. He has approximately 305 CVEs to his credit -- "approximately" because there are vulnerabilities currently awaiting CVEs to be assigned by vendors.

As for whether he still gets the same thrill from seeing a new CVE added to his list, Cashdollar says, "I guess it depends on what application I'm breaking."

Simple authentication vulnerabilities in WordPress plugins that can be exploited with a CURL command carry low excitement for him. But "The old school stuff is more fun to me. If I find something like a /temp race condition vulnerability in Solaris 11, I'll end up, you know, writing a C exploit to watch the files and then create a simlink to scshadow and then try to change the password. And I'll just write a much better exploit for something that's unique because it's still a lot of fun for me."

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
 

Recommended Reading:

Comment  | 
Email This  | 
Print  | 
RSS
More Insights
Copyright © 2020 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service