Research.

Vulnerabilities

This is a list of some of the vulnerabilities I've published. There are many more that you can read on securityfocus or secunia. I'll try to keep this list updated with any major research.

Product	CVE	Description
gnupg	CVE-2006-0049	Design Error.
libtiff	CVE-2006-3459	Stack buffer overflow.
dillo	CVE-2005-0012	Format string vulnerability.
vmware	CVE-2005-0444	Insecure DT_RPATH.
mozilla	CVE-2005-0578	Insecure file usage.
zlib	CVE-2005-2096	Heap overflow.
netbsd	CVE-2005-4741	Design Error.
xloadimage	CVE-2005-0638	Shell injection vulnerability.
imagemagick	CVE-2005-0397	Format string vulnerability.
junkbuster	CVE-2005-1109	Heap corruption.
gzip	CVE-2006-4335	Out-of-bounds stack modification.
openssh	CVE-2006-4924	Denial of service.
openssl	CVE-2006-3738	Buffer overflow.
monkey httpd	CVE-2005-1122	Format string vulnerability.
imagemagick	CVE-2006-3743	Stack buffer overflow.
xv	SA14977	Multiple vulnerabilities.
xli	CVE-2005-0638	Shell injection vulnerability.
busybox	CVE-2006-1058	Cryptographic weakness.
libtiff	CVE-2005-1544	Stack buffer overflow.
ht	CVE-2005-1545	Integer overflow.
gdb	CVE-2005-1705	Design Error.
gdb	CVE-2005-1704	Integer overflow.
prozilla	CVE-2005-2961	Stack buffer overflow.
libtiff	CVE-2006-2025	Integer overflow.
libtiff	CVE-2006-2026	Double free() vulnerability.
libtiff	CVE-2006-3460	Heap overflow.
libtiff	CVE-2006-3461	Heap overflow.
libtiff	CVE-2006-3462	Heap overflow.
libtiff	CVE-2006-3463	Infinite loop.
gzip	CVE-2006-4336	Static underflow.
gzip	CVE-2006-4338	Infinite loop.
ncompress	CVE-2006-1168	Static underflow.
imagemagick	CVE-2005-1739	Infinite loop.
rkhunter	CVE-2005-1270	Insecure temporary file usage.
mtink	CVE-2004-1110	Weak permissions.
gas	CVE-2005-4807	Stack buffer overflow.
elfutils	CVE-2005-1704	Integer overflow.
tetris-bsd	CVE-2006-1539	Design error.
gzip	CVE-2006-4337	Static overflow.
openssl	CVE-2006-4343	Denial of Service.
hashcash	CVE-2005-0687	Format string vulnerability.
imagemagick	CVE-2006-3744	Multiple Integer and heap overflows.
gproftpd	CVE-2005-0484	Format string vulnerability.
esearch	CVE-2004-0655	Insecure temporary file usage.
gnupg	CVE-2006-0455	Design error.
lha	CVE-2006-4335	Out-of-bounds stack modification.
lha	CVE-2006-4337	Static overflow.
lha	CVE-2006-4338	Infinite loop.
gdb	CVE-2006-4146	Stack buffer overflow.
libpng	CVE-2006-5793	OOB Read.
fvwm	CVE-2006-5969	Command Injection.
sudo	CVE-2005-2959	Insufficient blacklist.
sudo	CVE-2006-0151	Insufficient blacklist.
xv	CVE-2005-0665	Format String Error.
imagemagick	CVE-2005-0397	Format String Error.
gnupg	CVE-2006-6235	Buffer Management Error.
denyhosts	CVE-2006-6301	Denial of Service.
oftpd	CVE-2005-2239	Denial of Service.
thttpd	CVE-2007-0158	Buffer Underflow.
qemu	CVE-2007-1320	Buffer Overflow.
qemu	CVE-2007-1322	Design Errors.
bochs	CVE-2007-1323	Buffer Overflow.
vmware	CVE-2007-1337	Out of bounds write.
glibc	CVE-2007-3508	Integer Overflow.
virusscan	SA26137	Heap Overflow.
perl	CVE-2007-5116	Heap Overflow.
pcre	CVE-2007-1659	Heap Overflow.
pcre	CVE-2007-1660	Heap Overflow.
pcre	CVE-2007-1661	Information leak.
pcre	CVE-2007-1662	Denial of Service.
pcre	CVE-2007-4766	Heap Overflow.
pcre	CVE-2007-4767	Infinite loops.
pcre	CVE-2007-4768	Heap Overflow.
libpng	CVE-2007-5269	OOB Reads.
systrace	CVE-2007-4773	Escape policy enforcement.
linux	CVE-2007-4774	Race condition.
boost	CVE-2008-0171	Denial of Service.
boost	CVE-2008-0172	Denial of Service.
libicu	CVE-2007-4770	OOB Writes.
nvclock	CVE-2007-3531	Insecure /tmp usage.
oftpd	CVE-2006-6767	Denial of Service.
binutils	SA21508	Stack buffer Overflow.
libicu	CVE-2007-4771	Heap Overflow.
postgres	CVE-2007-4769	Denial of Service.
robohelp	CVE-2008-0642	Cross site scripting.
presenter	CVE-2008-3515	Cross site scripting.
postgres	CVE-2007-4772	Denial of Service.
acrobat	CVE-2008-0655	Multiple Heap Overflows.
tcl	CVE-2007-6067	Algorithmic Complexity Attack.
linux	CVE-2008-0598	Information Leak.
unzip	CVE-2008-0888	Invalid free().
am-utils	CVE-2008-1078	Insecure /tmp usage.
acrobat	CVE-2008-0883	Insecure file creation.
webkit	CVE-2008-1010	Buffer Overflow.
libpng	CVE-2008-1382	Design Error.
iexplore	CVE-2008-2256	Memory corruption.
python	CVE-2008-3143	Multiple issues.
flash	CVE-2008-3872	Filter evasion.
linux	CVE-2008-3527	Missing Boundary Checks.

The vulnerabilities I'm most proud of are probably my attack against gpg signed messages, and my zlib heap overflow vulnerability.

Although it's not widely known I was responsible, I discovered both of the libtiff vulnerabilities that ultimately led to the execution of unsigned code on the sony psp and the apple iphone .

Reverse Engineering

I enjoy reverse engineering for security purposes and as a hobby. My main activities in reverse engineering involve either hostile binary analysis, or solving crackmes.

crackmes are small reverse engineering puzzles created by other hobbyists. The best repository of linux crackmes available is at crackmes.de. You can find a list of my crackmes and solutions on my user page.

crackmes

Solutions

Here is a list of some of my crackme solutions.

Title	Author	Link
package	crp-	http://crackmes.de/users/crp/package
collide	crp-	http://crackmes.de/users/crp/collide
888	crp-	http://crackmes.de/users/crp/888
jandepora	eSn-mIn	http://crackmes.de/users/esn_min/jandepora
linux_cm_1	veneta	http://crackmes.de/users/veneta/linux_crackme_v1

Crackmes

Title	Link
trace-p	http://crackmes.de/users/taviso/trace_p/

Interviews

Some of my security research has attracted the attention of the media, I've even been asked for interviews occasionally. There are links to some of these below.

Research.

Tavis Ormandy.

$Id: research.t2t,v 1.22 2008/11/05 16:01:00 taviso Exp $

Vulnerabilities

Reverse Engineering

crackmes

Solutions

Crackmes

Interviews

Research Papers

Recommended

Other