Vulnerability hunter helping to debug Microsoft

30 Jul 2020
Vulnerability hunter
PhD student Huichen (Walt) Lin

UQ cyber security PhD student Huichen (Walt) Lin is in a race to expose the chinks in the armour of one of the world’s biggest technology companies, Microsoft, and there is a pile of cash to be made by winning.

A veteran ‘vulnerability hunter’, Huichen has already discovered two bugs for Microsoft, but now he is on the hunt for more.

In 2017, then again earlier this year, Huichen was acknowledged through the Microsoft Bug Bounty Program for his work identifying vulnerabilities in Microsoft’s services, and offered a reward of USD $10,000, for his efforts.

He said the process was like searching for a needle in a haystack, and it involved a lot of time and effort, and trial and error.

“It was a fun process, and very satisfying when I finally discovered the vulnerabilities - the most challenging part is persevering, because you know these vulnerabilities exist, but you have no idea where they are,” said Huichen.

Using the skills he learnt studying, researching and working in the field of cyber security, Internet of Things and networking, Huichen developed attack test tools to conduct penetration testing on different Microsoft systems, as a hobby.

“I discovered the two vulnerabilities by adjusting attack test tools with different attacking times and payloads,” he said.

“After making the discoveries, I reported them to the Microsoft Security Response Centre (MSRC) Researcher Portal, and they were validated by the team there.

“For obvious reasons, you are required to keep the vulnerability confidential during Microsoft’s investigation and until the company has release a security update to cover the issue you have uncovered.”

Now, Huichen is hoping to have two more issues that he has reported acknowledged, with the Microsoft team already confirming they are valid vulnerabilities.

“If you think about cyber-attacks as a matter of not just ‘if’ but ‘when’, then you can see that helping software companies find vulnerabilities is crucial for the cybersecurity community,” he said.

“Utilising our cyber community’s unique skill set can help technology organisations to provide a proactive defence against increasing prevalence of cyber security threats by helping more vulnerabilities get fixed faster.

“I plan to continue to hunt for vulnerabilities, and I like to encourage my colleagues to do the same.”

Find out more about the two Common Vulnerabilities and Exposures (CVEs) that Huichen has discovered - CVE-2017-0174 and CVE-2020-0909 - on the Microsoft Security Researcher Acknowledgement portal.

Tips on hunting for vulnerabilities

  • Write your own attacking test tools. Nowadays, it is virtually impossible in practice to discover a new vulnerability by using existing attack tools, as that is what a host of rookie hackers are trying to do every day. On the other hand, creating your own attacking test tools allows for the greatest flexibility to meet the needs of your novel attacking idea.

  • Focus on the unexpected. Most vulnerabilities that exist are the result of undesirable flaws in computer systems, so by focusing on the unexpected there is a higher likelihood that a bug could be found and exploited.

  • Record each step and necessary details. Bug hunting is often a lengthy process. You could end up doing the exact same test over and over again. Writing down the tests and details of your steps can help to reduce duplication of tests, saving time, effort and helping you to find bugs faster.
  • Ensure the vulnerability is reproducible on every test. Each day there are a large number of vulnerabilities reported, but only a very small fraction of them are deemed valid. This is because if the reported vulnerability cannot be reproduced when the vendor tries to reproduce it, it won’t be validated. Get in quick! Usually, if multiple bug reports for the same vulnerability are submitted from different researchers, the acknowledgement and bounty will be granted to the first submission – so don’t sit on your find – submit it! The bounties are worth up to USD $250,000, so you don’t want to miss out.

Find out more about UQ Cyber Security.