21

Jul

by pi3

Finally! 19 of July 2011 I had defence of my Master of Degree. I pass exam from whole study at mark 5.5 (the highest mark) and defence my thesis with mark 5.5 (the highest mark) and on the diploma I’m going to have final mark 5.0 (almost the highest mark ;)). My thesis was interesting not only for me but also for my University and they want to send it to the contest 😉 My topic was: “Elaboration of an automatic system of fuzz testing technique to use in the CERN grid applications”. To be honest now I have very powerful fuzzer ;>

At the beginning of March I second time moved to Switzerland (because of my work at CERN). Before that I was working in Wroclaw Center for Networking and Supercomputing in security team. In the middle of one pentesting work me and my friends (Bartek Balcerek and Maciej Kotowicz) discovered very nice vulnerability in the TORQUE server.

TORQUE (Terascale Open-Source Resource and Queue Manager) is very common in any GRID projects – including GRID in European Organization for Nuclear Research aka CERN 🙂 By using this bug attacker are able to create dirty job and put it to the queue and server responsible for executing this job will be hacked. This is very dangerous situation from the infrastructure – in the easiest way noone else will be able to use GRID resources. In worst situation we are able to overtake control on the edge machine which can manipulate any other machine – of course server is running with the root privileges 😉

Here is advisory in full-disclosure list.

Here is backup on my server.

 

Best regards,

Adam Zabrocki