This is a list of some of the vulnerabilities I've published. There are many more that you can read on securityfocus or secunia. I'll try to keep this list updated with any major research.
| Product | CVE | Description |
|---|---|---|
| windows | CVE-2009-0231 | Heap Overflow. |
| windows | CVE-2010-0233 | Double Free. |
| windows | CVE-2010-0232 | Design Error. |
| linux | CVE-2009-4141 | Use after free. |
| windows | CVE-2010-0018 | Integer errors. |
| windows | CVE-2009-2514 | Kernel integer errors. |
| vmware | CVE-2009-2267 | Local privilege escalation. |
| windows | CVE-2009-3126 | Integer overflow. |
| windows | CVE-2009-2503 | Memory Corruption. |
| windows | CVE-2009-2517 | Local privilege escalation. |
| windows | CVE-2009-2515 | Integer truncation. |
| acrobat | CVE-2009-2984 | Memory Corruption. |
| netbsd | CVE-2009-2793 | Kernel stack desynchronization. |
| windows | CVE-2009-2519 | Heap corruption. |
| linux | CVE-2009-2698 | Local privilege escalation. |
| linux | CVE-2009-2692 | Local privilege escalation. |
| pulseaudio | CVE-2009-1894 | Race Condition. |
| linux | CVE-2009-1895 | Protection bypass. |
| virtualpc | CVE-2009-1542 | Missing Privilege Checks. |
| safari | CVE-2009-1705 | Integer overflow. |
| libwmf | CVE-2009-1364 | Use after free. |
| freetype | CVE-2009-0946 | Integer Overflows. |
| opera | CVE-2009-0914 | Heap Corruption. |
| flash | CVE-2009-0521 | Untrusted search path. |
| libpng | CVE-2009-0040 | Invalid free(). |
| linux | CVE-2008-3527 | Missing Boundary Checks. |
| flash | CVE-2008-3872 | Filter evasion. |
| python | CVE-2008-3143 | Multiple issues. |
| internet explorer | CVE-2008-2256 | Memory corruption. |
| libpng | CVE-2008-1382 | Design Error. |
| webkit | CVE-2008-1010 | Buffer Overflow. |
| acrobat | CVE-2008-0883 | Insecure file creation. |
| am-utils | CVE-2008-1078 | Insecure /tmp usage. |
| unzip | CVE-2008-0888 | Invalid free(). |
| linux | CVE-2008-0598 | Information Leak. |
| tcl | CVE-2007-6067 | Algorithmic Complexity Attack. |
| acrobat | CVE-2008-0655 | Multiple Heap Overflows. |
| postgres | CVE-2007-4772 | Denial of Service. |
| presenter | CVE-2008-3515 | Cross site scripting. |
| robohelp | CVE-2008-0642 | Cross site scripting. |
| postgres | CVE-2007-4769 | Denial of Service. |
| libicu | CVE-2007-4771 | Heap Overflow. |
| binutils | SA21508 | Stack buffer Overflow. |
| oftpd | CVE-2006-6767 | Denial of Service. |
| nvclock | CVE-2007-3531 | Insecure /tmp usage. |
| libicu | CVE-2007-4770 | OOB Writes. |
| boost | CVE-2008-0172 | Denial of Service. |
| boost | CVE-2008-0171 | Denial of Service. |
| linux | CVE-2007-4774 | Race condition. |
| systrace | CVE-2007-4773 | Escape policy enforcement. |
| libpng | CVE-2007-5269 | OOB Reads. |
| pcre | CVE-2007-4768 | Heap Overflow. |
| pcre | CVE-2007-4767 | Infinite loops. |
| pcre | CVE-2007-4766 | Heap Overflow. |
| pcre | CVE-2007-1662 | Denial of Service. |
| pcre | CVE-2007-1661 | Information leak. |
| pcre | CVE-2007-1660 | Heap Overflow. |
| pcre | CVE-2007-1659 | Heap Overflow. |
| perl | CVE-2007-5116 | Heap Overflow. |
| virusscan | SA26137 | Heap Overflow. |
| glibc | CVE-2007-3508 | Integer Overflow. |
| vmware | CVE-2007-1337 | Out of bounds write. |
| bochs | CVE-2007-1323 | Buffer Overflow. |
| qemu | CVE-2007-1322 | Design Errors. |
| qemu | CVE-2007-1320 | Buffer Overflow. |
| thttpd | CVE-2007-0158 | Buffer Underflow. |
| oftpd | CVE-2005-2239 | Denial of Service. |
| denyhosts | CVE-2006-6301 | Denial of Service. |
| gnupg | CVE-2006-6235 | Buffer Management Error. |
| imagemagick | CVE-2005-0397 | Format String Error. |
| xv | CVE-2005-0665 | Format String Error. |
| sudo | CVE-2006-0151 | Insufficient blacklist. |
| sudo | CVE-2005-2959 | Insufficient blacklist. |
| fvwm | CVE-2006-5969 | Command Injection. |
| libpng | CVE-2006-5793 | OOB Read. |
| gdb | CVE-2006-4146 | Stack buffer overflow. |
| lha | CVE-2006-4338 | Infinite loop. |
| lha | CVE-2006-4337 | Static overflow. |
| lha | CVE-2006-4335 | Out-of-bounds stack modification. |
| gnupg | CVE-2006-0455 | Design error. |
| esearch | CVE-2004-0655 | Insecure temporary file usage. |
| gproftpd | CVE-2005-0484 | Format string vulnerability. |
| imagemagick | CVE-2006-3744 | Multiple Integer and heap overflows. |
| hashcash | CVE-2005-0687 | Format string vulnerability. |
| openssl | CVE-2006-4343 | Denial of Service. |
| gzip | CVE-2006-4337 | Static overflow. |
| tetris-bsd | CVE-2006-1539 | Design error. |
| elfutils | CVE-2005-1704 | Integer overflow. |
| gas | CVE-2005-4807 | Stack buffer overflow. |
| mtink | CVE-2004-1110 | Weak permissions. |
| rkhunter | CVE-2005-1270 | Insecure temporary file usage. |
| imagemagick | CVE-2005-1739 | Infinite loop. |
| ncompress | CVE-2006-1168 | Static underflow. |
| gzip | CVE-2006-4338 | Infinite loop. |
| gzip | CVE-2006-4336 | Static underflow. |
| libtiff | CVE-2006-3463 | Infinite loop. |
| libtiff | CVE-2006-3462 | Heap overflow. |
| libtiff | CVE-2006-3461 | Heap overflow. |
| libtiff | CVE-2006-3460 | Heap overflow. |
| libtiff | CVE-2006-2026 | Double free() vulnerability. |
| libtiff | CVE-2006-2025 | Integer overflow. |
| prozilla | CVE-2005-2961 | Stack buffer overflow. |
| gdb | CVE-2005-1704 | Integer overflow. |
| gdb | CVE-2005-1705 | Design Error. |
| ht | CVE-2005-1545 | Integer overflow. |
| libtiff | CVE-2005-1544 | Stack buffer overflow. |
| busybox | CVE-2006-1058 | Cryptographic weakness. |
| xli | CVE-2005-0638 | Shell injection vulnerability. |
| xv | SA14977 | Multiple vulnerabilities. |
| imagemagick | CVE-2006-3743 | Stack buffer overflow. |
| monkey | CVE-2005-1122 | Format string vulnerability. |
| openssl | CVE-2006-3738 | Buffer overflow. |
| openssh | CVE-2006-4924 | Denial of service. |
| gzip | CVE-2006-4335 | Out-of-bounds stack modification. |
| junkbuster | CVE-2005-1109 | Heap corruption. |
| imagemagick | CVE-2005-0397 | Format string vulnerability. |
| xloadimage | CVE-2005-0638 | Shell injection vulnerability. |
| netbsd | CVE-2005-4741 | Design Error. |
| zlib | CVE-2005-2096 | Heap overflow. |
| mozilla | CVE-2005-0578 | Insecure file usage. |
| vmware | CVE-2005-0444 | Insecure DT_RPATH. |
| dillo | CVE-2005-0012 | Format string vulnerability. |
| libtiff | CVE-2006-3459 | Stack buffer overflow. |
| gnupg | CVE-2006-0049 | Design Error. |
The vulnerabilities I'm most proud of are probably my attack against gpg signed messages, and my zlib heap overflow vulnerability.
Although it's not widely known I was responsible, I discovered both of the libtiff vulnerabilities that ultimately led to the execution of unsigned code on the sony psp and the apple iphone .
I enjoy reverse engineering for security purposes and as a hobby. My main activities in reverse engineering involve either hostile binary analysis, or solving crackmes.
crackmes are small reverse engineering puzzles created by other hobbyists. The best repository of linux crackmes available is at crackmes.de. You can find a list of my crackmes and solutions on my user page.
Here is a list of some of my crackme solutions.
| Title | Author | Link |
|---|---|---|
| package | crp- | http://crackmes.de/users/crp/package |
| collide | crp- | http://crackmes.de/users/crp/collide |
| 888 | crp- | http://crackmes.de/users/crp/888 |
| jandepora | eSn-mIn | http://crackmes.de/users/esn_min/jandepora |
| linux_cm_1 | veneta | http://crackmes.de/users/veneta/linux_crackme_v1 |
| Title | Link |
|---|---|
| trace-p | http://crackmes.de/users/taviso/trace_p/ |
Some of my security research has attracted the attention of the media, I've even been asked for interviews occasionally. There are links to some of these below.