Vulnerabilities


This is a list of some of the vulnerabilities I've published. There are many more that you can read on securityfocus or secunia. I'll try to keep this list updated with any major research.

Product CVE Description
windows CVE-2009-0231 Heap Overflow.
windows CVE-2010-0233 Double Free.
windows CVE-2010-0232 Design Error.
linux CVE-2009-4141 Use after free.
windows CVE-2010-0018 Integer errors.
windows CVE-2009-2514 Kernel integer errors.
vmware CVE-2009-2267 Local privilege escalation.
windows CVE-2009-3126 Integer overflow.
windows CVE-2009-2503 Memory Corruption.
windows CVE-2009-2517 Local privilege escalation.
windows CVE-2009-2515 Integer truncation.
acrobat CVE-2009-2984 Memory Corruption.
netbsd CVE-2009-2793 Kernel stack desynchronization.
windows CVE-2009-2519 Heap corruption.
linux CVE-2009-2698 Local privilege escalation.
linux CVE-2009-2692 Local privilege escalation.
pulseaudio CVE-2009-1894 Race Condition.
linux CVE-2009-1895 Protection bypass.
virtualpc CVE-2009-1542 Missing Privilege Checks.
safari CVE-2009-1705 Integer overflow.
libwmf CVE-2009-1364 Use after free.
freetype CVE-2009-0946 Integer Overflows.
opera CVE-2009-0914 Heap Corruption.
flash CVE-2009-0521 Untrusted search path.
libpng CVE-2009-0040 Invalid free().
linux CVE-2008-3527 Missing Boundary Checks.
flash CVE-2008-3872 Filter evasion.
python CVE-2008-3143 Multiple issues.
internet explorer CVE-2008-2256 Memory corruption.
libpng CVE-2008-1382 Design Error.
webkit CVE-2008-1010 Buffer Overflow.
acrobat CVE-2008-0883 Insecure file creation.
am-utils CVE-2008-1078 Insecure /tmp usage.
unzip CVE-2008-0888 Invalid free().
linux CVE-2008-0598 Information Leak.
tcl CVE-2007-6067 Algorithmic Complexity Attack.
acrobat CVE-2008-0655 Multiple Heap Overflows.
postgres CVE-2007-4772 Denial of Service.
presenter CVE-2008-3515 Cross site scripting.
robohelp CVE-2008-0642 Cross site scripting.
postgres CVE-2007-4769 Denial of Service.
libicu CVE-2007-4771 Heap Overflow.
binutils SA21508 Stack buffer Overflow.
oftpd CVE-2006-6767 Denial of Service.
nvclock CVE-2007-3531 Insecure /tmp usage.
libicu CVE-2007-4770 OOB Writes.
boost CVE-2008-0172 Denial of Service.
boost CVE-2008-0171 Denial of Service.
linux CVE-2007-4774 Race condition.
systrace CVE-2007-4773 Escape policy enforcement.
libpng CVE-2007-5269 OOB Reads.
pcre CVE-2007-4768 Heap Overflow.
pcre CVE-2007-4767 Infinite loops.
pcre CVE-2007-4766 Heap Overflow.
pcre CVE-2007-1662 Denial of Service.
pcre CVE-2007-1661 Information leak.
pcre CVE-2007-1660 Heap Overflow.
pcre CVE-2007-1659 Heap Overflow.
perl CVE-2007-5116 Heap Overflow.
virusscan SA26137 Heap Overflow.
glibc CVE-2007-3508 Integer Overflow.
vmware CVE-2007-1337 Out of bounds write.
bochs CVE-2007-1323 Buffer Overflow.
qemu CVE-2007-1322 Design Errors.
qemu CVE-2007-1320 Buffer Overflow.
thttpd CVE-2007-0158 Buffer Underflow.
oftpd CVE-2005-2239 Denial of Service.
denyhosts CVE-2006-6301 Denial of Service.
gnupg CVE-2006-6235 Buffer Management Error.
imagemagick CVE-2005-0397 Format String Error.
xv CVE-2005-0665 Format String Error.
sudo CVE-2006-0151 Insufficient blacklist.
sudo CVE-2005-2959 Insufficient blacklist.
fvwm CVE-2006-5969 Command Injection.
libpng CVE-2006-5793 OOB Read.
gdb CVE-2006-4146 Stack buffer overflow.
lha CVE-2006-4338 Infinite loop.
lha CVE-2006-4337 Static overflow.
lha CVE-2006-4335 Out-of-bounds stack modification.
gnupg CVE-2006-0455 Design error.
esearch CVE-2004-0655 Insecure temporary file usage.
gproftpd CVE-2005-0484 Format string vulnerability.
imagemagick CVE-2006-3744 Multiple Integer and heap overflows.
hashcash CVE-2005-0687 Format string vulnerability.
openssl CVE-2006-4343 Denial of Service.
gzip CVE-2006-4337 Static overflow.
tetris-bsd CVE-2006-1539 Design error.
elfutils CVE-2005-1704 Integer overflow.
gas CVE-2005-4807 Stack buffer overflow.
mtink CVE-2004-1110 Weak permissions.
rkhunter CVE-2005-1270 Insecure temporary file usage.
imagemagick CVE-2005-1739 Infinite loop.
ncompress CVE-2006-1168 Static underflow.
gzip CVE-2006-4338 Infinite loop.
gzip CVE-2006-4336 Static underflow.
libtiff CVE-2006-3463 Infinite loop.
libtiff CVE-2006-3462 Heap overflow.
libtiff CVE-2006-3461 Heap overflow.
libtiff CVE-2006-3460 Heap overflow.
libtiff CVE-2006-2026 Double free() vulnerability.
libtiff CVE-2006-2025 Integer overflow.
prozilla CVE-2005-2961 Stack buffer overflow.
gdb CVE-2005-1704 Integer overflow.
gdb CVE-2005-1705 Design Error.
ht CVE-2005-1545 Integer overflow.
libtiff CVE-2005-1544 Stack buffer overflow.
busybox CVE-2006-1058 Cryptographic weakness.
xli CVE-2005-0638 Shell injection vulnerability.
xv SA14977 Multiple vulnerabilities.
imagemagick CVE-2006-3743 Stack buffer overflow.
monkey CVE-2005-1122 Format string vulnerability.
openssl CVE-2006-3738 Buffer overflow.
openssh CVE-2006-4924 Denial of service.
gzip CVE-2006-4335 Out-of-bounds stack modification.
junkbuster CVE-2005-1109 Heap corruption.
imagemagick CVE-2005-0397 Format string vulnerability.
xloadimage CVE-2005-0638 Shell injection vulnerability.
netbsd CVE-2005-4741 Design Error.
zlib CVE-2005-2096 Heap overflow.
mozilla CVE-2005-0578 Insecure file usage.
vmware CVE-2005-0444 Insecure DT_RPATH.
dillo CVE-2005-0012 Format string vulnerability.
libtiff CVE-2006-3459 Stack buffer overflow.
gnupg CVE-2006-0049 Design Error.

The vulnerabilities I'm most proud of are probably my attack against gpg signed messages, and my zlib heap overflow vulnerability.

Although it's not widely known I was responsible, I discovered both of the libtiff vulnerabilities that ultimately led to the execution of unsigned code on the sony psp and the apple iphone .

Reverse Engineering


I enjoy reverse engineering for security purposes and as a hobby. My main activities in reverse engineering involve either hostile binary analysis, or solving crackmes.

crackmes are small reverse engineering puzzles created by other hobbyists. The best repository of linux crackmes available is at crackmes.de. You can find a list of my crackmes and solutions on my user page.

crackmes

Solutions

Here is a list of some of my crackme solutions.

Title Author Link
package crp- http://crackmes.de/users/crp/package
collide crp- http://crackmes.de/users/crp/collide
888 crp- http://crackmes.de/users/crp/888
jandepora eSn-mIn http://crackmes.de/users/esn_min/jandepora
linux_cm_1 veneta http://crackmes.de/users/veneta/linux_crackme_v1
Crackmes
Title Link
trace-p http://crackmes.de/users/taviso/trace_p/

Interviews


Some of my security research has attracted the attention of the media, I've even been asked for interviews occasionally. There are links to some of these below.

Research Papers


Recommended


Other