CVE Blog

The purpose of this blog is to establish a dialogue and get your input on issues and topics important to CVE. We encourage you to use Medium, LinkedIn, or Twitter to comment on, share, or like a post. Right-click and copy here to share this article from the CVE website.

My CVE Story: How I Became the CVE Program’s First Vulnerability Researcher CNA

Share or comment Medium Twitter LinkedIn

Guest author Larry W. Cashdollar is a vulnerability researcher and the CVE Program’s first researcher CNA.

I discovered my first vulnerability in 1999. By that point, I had been involved in computer security since late 1994, working as a consultant at the now defunct netMaine consulting company. My days then consisted of tracking new vulnerabilities posted on Bugtraq and collecting exploits that we would catalog and possibly use during our penetration testing engagements. I remember talking with my co-worker about how people would find vulnerabilities; how did they know what to look for and where to look?

In 1998, better opportunities led me to apply for a UNIX Administrator position at Computer Science Corporation. This position gave me access to over 3,000 assorted UNIX systems, ranging from HP-UX to SGI IRX to IBM AIX. On my first day, my new manager took me to the SGI lab, which was a room with 8-10 SGI Indigo/2 workstations. My manager then told me he’d give me a login once I proved my worth. I knew from being in security and studying various UNIX vulnerabilities for a few years that SGI IRIX had a passwordless IP account, so I simply walked up to one of the workstations, typed IP into the login prompt, and hit enter. When my manager saw that I was able to logon to the SGI, he immediately offered me a job in security.

I spent the next few months testing the security of many various UNIX servers. We had a datacenter that I, as a UNIX Administrator, was not able to access; only the level III UNIX Administrators were allowed access. The data center housed a refrigerator-sized $250,000 SGI ONYX/2. The administrators who had access to the datacenter would routinely taunt my team about how they have root access to the ONYX/2 and we didn’t, almost weekly. I had taken it upon myself to hack root on the ONYX/2. I knew I could get a shell using the lP login, but I didn’t know of any zero-days to elevate my privileges to root. What I needed was another system with the same OS version that I could examine. I did have access to another SGI box with the same OS, an Indigo/2 workstation that no one used.

To elevate my privileges, I started looking at setuid root binaries. The term setuid means the program, when executed by a regular user, runs with superuser privileges. I noticed a binary named /usr/sbin/midikeys that, when executed, popped up a little piano keyboard on my screen. I wondered why a piano application would need to run as root, so I started toying with it. It had a feature that would allow you to save and edit music files, so I tried to open /etc/passwd (where all the user accounts’ passwords are stored) to add my own superuser entry. It worked! So, logged into the ONYX/2 as IP, I used my newly found zero-day to modify the password file and added ‘larry’ as a new root-level account. I logged into my new ‘larry’ account with superuser (root) privileges and started looking around. I attempted to change my account password to something besides a blank password and realized I was changing the root account’s password. I had accidentally changed the root password to ‘ctrl ^D’ in an attempt to back out of my command. I knew the system administrators of the ONYX would be pretty angry with me, so I asked my good friend Donovan to tell the ONYX system administrator what I had done. At the exact time I was doing this, the sysadmin was demonstrating the SGI's 3-D modeling abilities to a group of officials, including a Navy admiral. They were planning on demonstrating the 3D CAD drawings of the Aegis class destroyer ships being designed and built at a major U.S. shipyard. The sysadmin was unable to login and had to scrub the demo.

How I became a CVE Numbering Authority (CNA)

I remember sending the details of my newfound security hole to Bugtraq and being excited when I saw that the CVE Program assigned a CVE ID to the vulnerability after SGI fixed it. As a new researcher, this represented a stamp of approval from folks who had lots of experience in cataloging and validating vulnerabilities.

In 2016, I presented a talk at the DEF CON Wall of Sheep Village that had some CVE Program team members in the audience. I was invited to meet with them to discuss becoming the first vulnerability researcher CNA who could assign CVEs to vulnerabilities that I discovered. In November 2016, I officially partnered with the CVE Program as a CNA.

Since then, I’ve discovered over 300 vulnerabilities and assigned many of the CVE IDs myself. The process has become more and more streamlined over the years, and I hope to remain part of the CNA program as I continue to discover new vulnerabilities in software.

- Larry Cashdollar
  Vulnerability Researcher
  March 15, 2021

Recent Posts

Page Last Updated or Reviewed: March 22, 2021