How I Was Bored One Many Nights and Found Two a Bunch of CVEs Hacking the Hiring Process by Pentesting FOSS Applications The Wild West Hacking Fest Version Joe Helle Red Team Lead TCM Security Who Am I? • Army Iraq and Afghanistan War Veteran • Online Personality Known as The Mayor • Why? Because I was an elected Mayor • eCPTX, eWPTX, PNPT, CRTO, OSCP, and a boatload of others • Advocate for changing entry processes into cybersecurity careers • First professional job in IT was penetration testing • Former moonshiner Why We Are Here Today • Hiring in offensive cybersecurity positions is broken • Need experience to get the job; need a job to get the experience • Bug bounty hunting has become saturated • Certificate value diminishes as more people obtain the same credentials • Candidates struggle to set themselves apart from their peers • Few organizations speak the same language when it comes to quantifiable experience One thing stands out among most cybersecurity realms, however CVEs!!! What is a CVE? • CVE is abbreviated for Common Vulnerabilities and Exposures • Maintained by MITRE, the CVE database is a repository of publicly disclosed vulnerabilities • A publicly disclosed CVE through MITRE is a first-time disclosure of a Zero Day vulnerability finding • Many professionals in the field will go their entire careers without finding one; others may find several through their career What is a CVE? • Some CVE findings affect security on a global scale • Other findings may affect small applications created and maintained by small brick and mortar companies and are Free and Open Source (FOSS) • My first CVE (2020-28351) came in my first month as a pentester on a client web application penetration test What is a CVE? • Size does not matter • Finding a Zero Day vulnerability that is reported to MITRE shows a person’s initiative, ability to research, create proofs of concept, write technically, and manage client communications Why? • As the title suggested, this was born from a boring Sunday night • I mentor multiple people struggling to find work in the field • This means that I struggle as well since the hiring process is such a challenge • Leveraging my boredom and knowledge, I decided to test my theory that earning CVEs will help people find gainful employment Finding Potential Exploitable Targets • Targeting common industries, such as hospitals, schools, hotels, etc. is a great way to identify possible projects Finding Potential Exploitable Targets • The “hotel CMS foss” search landed multiple results • Next challenge was parsing which applications really were FOSS, and not paywall applications hiding behind marketing walls • Websites that provided results of value were: • SourceForge • Github • The final challenge in which applications to target was installing them • Many of these applications were quite challenging to install • I finally chose the application “Hotel Druid” Quick Note • Downloadable applications are generally safe to test, meaning you likely do not need permission to do so on your own machine • Some applications may have licensing agreements that provide for criminal or civil liabilities if testing is conducted, so ensure you read any of the fine print available • FOSS applications generally will not have these stipulations • Even if you are in the clear, know that not all developers will be excited that someone tested and exploited their application • Back to our regularly scheduled talk Exploitation Time • Probably the easiest part of the entire process • Good testing methodology matters here • Burp Suite Pro and OWASP ZAP help as well • As time was of the essence, I used Burp Suite Pro and used it to audit the application • This was not necessary, and the vulnerabilities found could have been found with basic payload inputs Exploitation Time • In less than an hour I had found reflected XSS and SQL Injection vulnerabilities • SQLi allowed for full access to the SQLite database CVE Application Process • This MITRE process can feel daunting • Difficulty increased by there being little for references on the process • The first step in the process is to determine if the developer is a “Certified Numbering Authority,” or CNA • If developer is a CNA, CVE application process MUST process through the developer • If not a CNA, the process goes through MITRE CVE Application Process • After trying to contact and work with the vendor, it’s time to apply for the CVE itself • Done through https://cveform.mitre.org • Submitter will need a valid email, the number of vulnerabilities to report, that you have verified the vendor is NOT a registered CNA with MITRE, and that you have verified the vulnerability isn’t already listed CVE Application Process CVE Application Process • Next, describe vulnerability type, product vendor, product name, and version of vulnerable software/application CVE Application Process CVE Application Process • The CVE database is public, and a CVE number will only be made public if the finding is as well • Can note on application that a Github or other reference link is provided once the number is issued CVE Application Process • Eventually you will receive an email either confirming the finding and providing the CVE numbers, or a denial email requesting more information CVE Application Process • After the IDs are issued, rename the Github repos and make them public in order to reference the finding • Reply to the email with the valid links to be listed with the findings. They will be made public after that time. CVE Application Process • MITRE will eventually make those findings public • NIST will also assess the findings and update resources with a CVSS score • This can take several days to a week or more CVE Application Process Note that MITRE does NOT attribute findings to individuals. The individual is the owner of the reference used in the CVE ID in the vulnerability database. It is your responsibility to attribute yourself to the finding and to maintain and protect it. Let’s simplify things a bit Huntr.dev • A bug bounty platform that will payout for ANY vulnerable repository on Github • Pays out a dollar amount depending on size of repository, or if the project is sponsored on Huntr • Regardless of payouts, Huntr is a CNA, and can issue CVEs for repository maintainers • Sponsored repos and Hacktivity are a great place to check for possible target projects, although researching your own can provide fresh projects that may have not been found yet Submitting Through Huntr Submitting Through Huntr Submitting Through Huntr Click submit and work with the repo owner and admins to validate, remediate, and disclose! Leveraging Your Work • After receiving a CVE ID it’s time to leverage your success • Post to socials – Twitter, LinkedIn, etc. Leveraging Your Work • Update your LinkedIn biography and resume Closing Thoughts • Entry into security positions can be a harrowing task • There is no one right pathway • Find ways that set you apart from other applicants and peers • MAKE YOURSELF SEEN Socials • • • • • Twitter - @joehelle LinkedIn - https://www.linkedin.com/in/joe-helle Github – https://github.com/dievus Medium – https://medium.themayor.tech Website – https://themayor.tech