Research. Tavis Ormandy. $Id: research.t2t,v 1.48 2010/07/01 07:39:39 taviso Exp $ %! Target: %! Options: --toc --encoding=iso-8859-1 %! Style: main.css %! PostProc: "__CVEURL" "http://cve.mitre.org/cgi-bin/cvename.cgi?name" %! PreProc: "__CRKURL" "http://crackmes.de" %! PostProc: "__SECUNIA=" "http://secunia.com/advisories/" %! PreProc: "(CVE-....-....)" "[\1 __CVEURL=\1]" %! PreProc: "SA-(.....)" "[SA\1 __SECUNIA=\1]" === Vulnerabilities === --------------------------------------------------------------------------- This is a list of some of the vulnerabilities I've published. There are many more that you can read on [securityfocus http://www.securityfocus.com] or [secunia http://www.secunia.com]. I'll try to keep this list updated with any major research. - http://secunia.com/search/?search=Tavis+Ormandy - http://securityfocus.com/swsearch?metaname=alldoc&query=Tavis+Ormandy || Product | CVE | Description | | windows | CVE-2010-2265 | Cross-site scripting. | | acrobat | CVE-2010-2207 | Memory corruption. | | acrobat | CVE-2010-2208 | Memory corruption. | | acrobat | CVE-2010-2209 | Memory corruption. | | acrobat | CVE-2010-2210 | Memory corruption. | | acrobat | CVE-2010-2211 | Memory corruption. | | windows | CVE-2010-1885 | Insufficient validation. | | flash | CVE-2010-2187 | Memory corruption. | | flash | CVE-2010-2186 | Memory corruption. | | flash | CVE-2010-2185 | Memory corruption. | | flash | CVE-2010-2184 | Memory corruption. | | flash | CVE-2010-2183 | Memory corruption. | | flash | CVE-2010-2182 | Memory corruption. | | flash | CVE-2010-2181 | Memory corruption. | | flash | CVE-2010-2180 | Memory corruption. | | flash | CVE-2010-2163 | Memory corruption. | | photoshop | CVE-2010-1279 | Memory corruption. | | windows | CVE-2010-0481 | Denial of Service. | | windows | CVE-2010-0810 | Denial of Service. | | java | CVE-2010-0886 | Insufficient validation. | | windows | CVE-2009-0231 | Heap Overflow. | | windows | CVE-2010-0233 | Double Free. | | windows | CVE-2010-0232 | Design Error. | | linux | CVE-2009-4141 | Use after free. | | windows | CVE-2010-0018 | Integer errors. | | windows | CVE-2009-2514 | Kernel integer errors. | | vmware | CVE-2009-2267 | Local privilege escalation. | | windows | CVE-2009-3126 | Integer overflow. | | windows | CVE-2009-2503 | Memory Corruption. | | windows | CVE-2009-2517 | Local privilege escalation. | | windows | CVE-2009-2515 | Integer truncation. | | acrobat | CVE-2009-2984 | Memory Corruption. | | netbsd | CVE-2009-2793 | Kernel stack desynchronization. | | windows | CVE-2009-2519 | Heap corruption. | | linux | CVE-2009-2698 | Local privilege escalation. | | linux | CVE-2009-2692 | Local privilege escalation. | | pulseaudio | CVE-2009-1894 | Race Condition. | | linux | CVE-2009-1895 | Protection bypass. | | virtualpc | CVE-2009-1542 | Missing Privilege Checks. | | safari | CVE-2009-1705 | Integer overflow. | | libwmf | CVE-2009-1364 | Use after free. | | freetype | CVE-2009-0946 | Integer Overflows. | | opera | CVE-2009-0914 | Heap Corruption. | | flash | CVE-2009-0521 | Untrusted search path. | | libpng | CVE-2009-0040 | Invalid free(). | | linux | CVE-2008-3527 | Missing Boundary Checks. | | flash | CVE-2008-3872 | Filter evasion. | | python | CVE-2008-3143 | Multiple issues. | | iexplorer | CVE-2008-2256 | Memory corruption. | | libpng | CVE-2008-1382 | Design Error. | | webkit | CVE-2008-1010 | Buffer Overflow. | | acrobat | CVE-2008-0883 | Insecure file creation. | | am-utils | CVE-2008-1078 | Insecure /tmp usage. | | unzip | CVE-2008-0888 | Invalid free(). | | linux | CVE-2008-0598 | Information Leak. | | tcl | CVE-2007-6067 | Algorithmic Complexity Attack. | | acrobat | CVE-2008-0655 | Multiple Heap Overflows. | | postgres | CVE-2007-4772 | Denial of Service. | | presenter | CVE-2008-3515 | Cross site scripting. | | robohelp | CVE-2008-0642 | Cross site scripting. | | postgres | CVE-2007-4769 | Denial of Service. | | libicu | CVE-2007-4771 | Heap Overflow. | | binutils | SA-21508 | Stack buffer Overflow. | | oftpd | CVE-2006-6767 | Denial of Service. | | nvclock | CVE-2007-3531 | Insecure /tmp usage. | | libicu | CVE-2007-4770 | OOB Writes. | | boost | CVE-2008-0172 | Denial of Service. | | boost | CVE-2008-0171 | Denial of Service. | | linux | CVE-2007-4774 | Race condition. | | systrace | CVE-2007-4773 | Escape policy enforcement. | | libpng | CVE-2007-5269 | OOB Reads. | | pcre | CVE-2007-4768 | Heap Overflow. | | pcre | CVE-2007-4767 | Infinite loops. | | pcre | CVE-2007-4766 | Heap Overflow. | | pcre | CVE-2007-1662 | Denial of Service. | | pcre | CVE-2007-1661 | Information leak. | | pcre | CVE-2007-1660 | Heap Overflow. | | pcre | CVE-2007-1659 | Heap Overflow. | | perl | CVE-2007-5116 | Heap Overflow. | | virusscan | SA-26137 | Heap Overflow. | | glibc | CVE-2007-3508 | Integer Overflow. | | vmware | CVE-2007-1337 | Out of bounds write. | | bochs | CVE-2007-1323 | Buffer Overflow. | | qemu | CVE-2007-1322 | Design Errors. | | qemu | CVE-2007-1320 | Buffer Overflow. | | thttpd | CVE-2007-0158 | Buffer Underflow. | | oftpd | CVE-2005-2239 | Denial of Service. | | denyhosts | CVE-2006-6301 | Denial of Service. | | gnupg | CVE-2006-6235 | Buffer Management Error. | | imagemagick | CVE-2005-0397 | Format String Error. | | xv | CVE-2005-0665 | Format String Error. | | sudo | CVE-2006-0151 | Insufficient blacklist. | | sudo | CVE-2005-2959 | Insufficient blacklist. | | fvwm | CVE-2006-5969 | Command Injection. | | libpng | CVE-2006-5793 | OOB Read. | | gdb | CVE-2006-4146 | Stack buffer overflow. | | lha | CVE-2006-4338 | Infinite loop. | | lha | CVE-2006-4337 | Static overflow. | | lha | CVE-2006-4335 | Out-of-bounds stack modification. | | gnupg | CVE-2006-0455 | Design error. | | esearch | CVE-2004-0655 | Insecure temporary file usage. | | gproftpd | CVE-2005-0484 | Format string vulnerability. | | imagemagick | CVE-2006-3744 | Multiple Integer and heap overflows. | | hashcash | CVE-2005-0687 | Format string vulnerability. | | openssl | CVE-2006-4343 | Denial of Service. | | gzip | CVE-2006-4337 | Static overflow. | | tetris-bsd | CVE-2006-1539 | Design error. | | elfutils | CVE-2005-1704 | Integer overflow. | | gas | CVE-2005-4807 | Stack buffer overflow. | | mtink | CVE-2004-1110 | Weak permissions. | | rkhunter | CVE-2005-1270 | Insecure temporary file usage. | | imagemagick | CVE-2005-1739 | Infinite loop. | | ncompress | CVE-2006-1168 | Static underflow. | | gzip | CVE-2006-4338 | Infinite loop. | | gzip | CVE-2006-4336 | Static underflow. | | libtiff | CVE-2006-3463 | Infinite loop. | | libtiff | CVE-2006-3462 | Heap overflow. | | libtiff | CVE-2006-3461 | Heap overflow. | | libtiff | CVE-2006-3460 | Heap overflow. | | libtiff | CVE-2006-2026 | Double free() vulnerability. | | libtiff | CVE-2006-2025 | Integer overflow. | | prozilla | CVE-2005-2961 | Stack buffer overflow. | | gdb | CVE-2005-1704 | Integer overflow. | | gdb | CVE-2005-1705 | Design Error. | | ht | CVE-2005-1545 | Integer overflow. | | libtiff | CVE-2005-1544 | Stack buffer overflow. | | busybox | CVE-2006-1058 | Cryptographic weakness. | | xli | CVE-2005-0638 | Shell injection vulnerability. | | xv | SA-14977 | Multiple vulnerabilities. | | imagemagick | CVE-2006-3743 | Stack buffer overflow. | | monkey | CVE-2005-1122 | Format string vulnerability. | | openssl | CVE-2006-3738 | Buffer overflow. | | openssh | CVE-2006-4924 | Denial of service. | | gzip | CVE-2006-4335 | Out-of-bounds stack modification. | | junkbuster | CVE-2005-1109 | Heap corruption. | | imagemagick | CVE-2005-0397 | Format string vulnerability. | | xloadimage | CVE-2005-0638 | Shell injection vulnerability. | | netbsd | CVE-2005-4741 | Design Error. | | zlib | CVE-2005-2096 | Heap overflow. | | mozilla | CVE-2005-0578 | Insecure file usage. | | vmware | CVE-2005-0444 | Insecure DT_RPATH. | | dillo | CVE-2005-0012 | Format string vulnerability. | | libtiff | CVE-2006-3459 | Stack buffer overflow. | | gnupg | CVE-2006-0049 | Design Error. | The vulnerabilities I'm most proud of are probably my [attack http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000216.html] against gpg signed messages, and my [zlib heap overflow http://www.kb.cert.org/vuls/id/680620] vulnerability. Although it's not widely known I was responsible, I discovered both of the libtiff vulnerabilities that ultimately led to the execution of unsigned code on the sony [psp http://en.wikipedia.org/wiki/Psp_homebrew] and the [apple iphone http://docs.info.apple.com/article.html?artnum=306993] . === Reverse Engineering === --------------------------------------------------------------------------- I enjoy reverse engineering for security purposes and as a hobby. My main activities in reverse engineering involve either hostile binary analysis, or solving crackmes. crackmes are small reverse engineering puzzles created by other hobbyists. The best repository of linux crackmes available is at [crackmes.de http://crackmes.de]. You can find a list of my crackmes and solutions on my [user page http://www.crackmes.de/users/taviso]. ==== crackmes ==== ===== Solutions ===== Here is a list of some of my crackme solutions. || Title | Author | Link | | package | crp- | __CRKURL/users/crp/package | | collide | crp- | __CRKURL/users/crp/collide | | 888 | crp- | __CRKURL/users/crp/888 | | jandepora | eSn-mIn | __CRKURL/users/esn_min/jandepora | | linux_cm_1 | veneta | __CRKURL/users/veneta/linux_crackme_v1 | ===== Crackmes ===== || Title | Link | | trace-p | __CRKURL/users/taviso/trace_p/ | === Interviews === --------------------------------------------------------------------------- Some of my security research has attracted the attention of the media, I've even been asked for interviews occasionally. There are links to some of these below. - http://news.com.com/2100-1002_3-5778652.html - http://news.com.com/2100-1002_3-6048612.html - http://it.slashdot.org/article.pl?sid=05/07/10/0346218 - http://www.eweek.com/article2/0,1895,1834632,00.asp - http://www.silicon.com/research/specialreports/opensource/0,3800004943,39157140,00.htm - http://news.zdnet.co.uk/internet/security/0,39020375,39207991,00.htm - http://it.slashdot.org/article.pl?sid=06/03/09/233227 - http://www.securityfocus.com/columnists/341 - http://www.heise-security.co.uk/news/82219 === Research Papers === --------------------------------------------------------------------------- - [An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments virtsec.pdf] - [Flayer: Exposing Application Internals http://www.usenix.org/events/woot07/tech/full_papers/drewry/drewry.pdf] - [Insecure Context Switching: Inoculating regular expressions for survivability http://www.usenix.org/events/woot08/tech/full_papers/drewry/drewry.pdf] - [Native Client: A Sandbox for Portable, Untrusted x86 Native Code http://nativeclient.googlecode.com/svn/trunk/nacl/googleclient/native_client/documentation/nacl_paper.pdf] - [Making Software Dumber (presentation) making_software_dumber.pdf] === Recommended === --------------------------------------------------------------------------- - http://crackmes.de - http://scary.beasts.org - Chris Evans' Advisories - http://flickr.com/photos/meder - Awesome photography by Kyrgyz hacker Meder - http://www.cr0.org - Julien Tinnes' site, who is convinced cr0 is the most interesting control register?! - http://www.asirap.net/ - Parisa Tabriz's site, who evidently has elite graphic design skills as well as 1337 security skills. === Other === --------------------------------------------------------------------------- - [Same-site scripting http://seclists.org/bugtraq/2008/Jan/0270.html] - [Linux ASLR vulnerabilities http://lwn.net/Articles/330866/] - Mentions an Attack developed Julien Tinnes and myself (Now fixed). - [Rare Files rarefiles.html] - [Software software.html] %!include: ''statistics.js'' %!include(xhtml): footer.t2t % vim:tw=75