Memories of My First CVEs
It’s 2023 and I see that Erik Wynter landed a Metasploit module for one of my first CVE from 2016! Well, technically it was my 2nd CVE, but I submitted both CVE-2016-10107 and CVE-2016-10108 at the same time.
This brings back memories of my state of mind when I found that bug. I got the OSCP cert a year before that. I had been having trouble getting a pentesting job. During those job interviews I realized how weak I was at web app pentesting, so I decided to dive deep into it. When I found those two MyCloud CVE, my wife was out of town and it was storming hard so I couldn’t go for ride on my motorcycle.
With nothing else to do, I decided to move on from hacking intentionally vulnerable web apps such as Mutillidae, to something harder. I had just bought my WD NAS so I had the urge to poke around in it. I was focused on the basics and learning the OWASP Top Ten and at the time I found the two bugs I was fuzzing the headers. When I found them I felt that roller coaster high, like I felt back when I learned I had passed the OSCP a year earlier. I was like “F. yeah, going to have some CVE on my resume and hopefully get a pentesting job out of this”. I was amped up and running around my house yelling, sorta like when your team wins the Super Bowl.
Not long after that on this day the web interface on my device became unresponsive and I became worried I’d crashed it and lost the only copy of many gigs of family pictures. I breathed a sigh of relief when a hard reboot restored access. I decided I had poked around enough in it and stopped my testing. I didn’t want to take any more risks on losing my data and didn’t have any other backup medium.
Fast forward a bit and I had finally landed a pentesting job, thanks in part to padding my resume with those CVE. I then noticed how many new CVE had been published on MyCloud and felt sick to my stomach. I felt like a fool because I stopped digging for more and gave up so easily. I ended up using that story in a presentation to my Rapid7 coworkers, and talked about how when looking for bugs and getting your first CVE, IoT devices were a great place to get started due to the shitty state of security in IoT devices.