Mykhailo Dovhanych, 21, our Pentester has become a local celebrity. He made the digital world a bit safer by discovering a Zero-day vulnerability and getting his first CVE. We asked him a couple of questions to learn more about this exciting story:
UnderDefense: What is the official name of your position in the company?
Mykhailo: I’m a Penetration Tester, but personally, I prefer to call it Red Team Operator (laughing).
UnderDefense: When did you decide that you want to work in the CyberSec industry? Why?
Mykhailo: I`ve been into cybersecurity since 2019 when a couple of my friends decided to go to military universities. I planned to join them, but then I realized that cyberspace is the “5th field” of war, the most interesting for me. I felt like I could definitely make a contribution there. So I made the decision to advance in Offensive Security.
UnderDefense: What software was this vulnerability found in?
Mykhailo: I found it in Pi-hole. Pi-hole is a free, open-source software for Linux that acts as a DNS sinkhole and ad blocker. It is designed to run on a Raspberry Pi, but can also be installed on other Linux-based systems. Pi-hole blocks ads by routing DNS queries for known ad-serving domains to a “black hole” effectively preventing ads from appearing on devices that use it as their DNS server.
UnderDefense: Who uses Pi-hole? How many people could be affected?
Mykhailo: These are individuals and organizations that want to block unwanted ads and trackers on their network, including homes, small businesses, and schools. Also, it is used by individuals who want more control over their privacy and security when browsing the internet. There is no exact data regarding Pi-hole installs and active users, but approximately hundreds of thousands could have been affected, possibly even more than half a million.
UnderDefense: What is the nature of the vulnerability you found?
Mykhailo: The vulnerability is that attackers could access information about domains from these blacklists created by the administrator. These blacklists contain confidential information that should not be disclosed. Since tracking domains are constantly changing, it’s not easy to record all of them and keep the blacklists updated. So updated lists of such domains are sold on the internet and you can buy them for a few dollars. In this particular case, the client who buys and implements such a list is in danger. Attackers can obtain these lists for free by exploiting the vulnerability. When we announced it to the developer, it had a “Zero Day” status, meaning that all versions were vulnerable.
UnderDefense: Was this vulnerability fixed?
Mykhailo: With the help of search engines Shodan, ZoomEye, and special Google Dorks, it was possible to select publicly available DNS servers and get all blocked domains from them. Currently, there is an updated version of the Pi-Hole Admin Panel without this vulnerability.
You can learn more about the above-mentioned CVE here: