Twenty Year Anniversary
Showing 1 - 25 of 141 RSS Feed

Files from Tavis Ormandy

Email addresstaviso at google.com
First Active2006-10-09
Last Active2018-10-18
Ghostscript 1Policy Dangerous Access To Operator
Posted Oct 18, 2018
Authored by Tavis Ormandy, Google Security Research

Ghostscript has an issues where callers of a procedure are not forced to be properly marked as executeonly or pseudo-operators, allowing for the ability to take complete control of it.

tags | advisory
advisories | CVE-2018-18284
MD5 | f6013aa13df201f50c343927fca57dcd
Ghostscript .loadfontloop Exposed System Operators
Posted Oct 15, 2018
Authored by Tavis Ormandy, Google Security Research

Ghostscript suffers from an issue where .loadfontloop exposes system operators in the saved execution stack.

tags | advisory
MD5 | 8ee6daa56e7b3cbcf912ca5433934a03
Ghostscript executeonly Bypass
Posted Oct 11, 2018
Authored by Tavis Ormandy, Google Security Research

Ghostscript suffers from an executeonly bypass with errorhandler setup.

tags | exploit
advisories | CVE-2018-17961
MD5 | de8be7c4957ab4b3c8a37259c65b3c84
gsview -dSAFER Not Used
Posted Oct 11, 2018
Authored by Tavis Ormandy, Google Security Research

gsview does not run -dSAFER, allowing for the execution of arbitrary code.

tags | advisory, arbitrary
MD5 | bc269c0811f9b687fc29e4ed1a486a78
Ghostscript Exposed System Operators
Posted Oct 11, 2018
Authored by Tavis Ormandy, Google Security Research

Ghostscript has an issue where an error object can expose system operators in the saved execution stack.

tags | advisory
advisories | CVE-2018-18073
MD5 | f076ce456ca16868992ed63958eaa396
Ghostscript Failed Restore Command Execution
Posted Sep 6, 2018
Authored by Tavis Ormandy, wvu | Site metasploit.com

This Metasploit module exploits a -dSAFER bypass in Ghostscript to execute arbitrary commands by handling a failed restore (grestore) in PostScript to disable LockSafetyParams and avoid invalidaccess. This vulnerability is reachable via libraries such as ImageMagick, and this module provides the latest vector for Ghostscript.

tags | exploit, arbitrary
advisories | CVE-2018-16509
MD5 | e1336336af62bb506d362910f0cca41f
Ghostscript Command Execution / File Disclosure / Memory Corruption
Posted Aug 23, 2018
Authored by Tavis Ormandy, Google Security Research

Ghostscript suffers from file disclosure, shell command execution, memory corruption, and type confusion bugs.

tags | exploit, shell
MD5 | 1bbaaab44336f199ff5bab7ea5351935
FromDocToPdf Browser History Disclosure
Posted Apr 17, 2018
Authored by Tavis Ormandy, Google Security Research

FromDocToPdf exposes browsing history to all websites.

tags | advisory
MD5 | a8432820a6f1a3e3079881f89fa100f9
Video Downloader Universal Cross Site Scripting
Posted Apr 6, 2018
Authored by Tavis Ormandy, Google Security Research

The Video Downloader Chrome extension suffers from a universal cross site scripting vulnerability.

tags | exploit, xss
MD5 | 7773a2a48a1659869a5f513b21355dfb
glibc LD_AUDIT libmemusage.so RHEL-Based Arbitrary DSO Load Privilege Escalation
Posted Mar 30, 2018
Authored by Marco Ivaldi, Tavis Ormandy, Todor Donev, zx2c4, Brendan Coles | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker with libmemusage.so library.

tags | exploit, root
systems | linux
advisories | CVE-2010-3847, CVE-2010-3856
MD5 | 82d002207d92e79c81d147d0cbc73594
Transmission Torrent Parsing Integer Overflows
Posted Feb 26, 2018
Authored by Tavis Ormandy, Google Security Research

Torrent file parsing in libtransmission suffers from overflow vulnerabilities.

tags | exploit, overflow, vulnerability
MD5 | 04af27b8c3d0769c9ab52678f28df4a4
ABRT raceabrt Privilege Escalation
Posted Feb 15, 2018
Authored by Tavis Ormandy | Site metasploit.com

This Metasploit module attempts to gain root privileges on Fedora systems with a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured as the crash handler. A race condition allows local users to change ownership of arbitrary files (CVE-2015-3315). This Metasploit module uses a symlink attack on '/var/tmp/abrt/*/maps' to change the ownership of /etc/passwd, then adds a new user with UID=0 GID=0 to gain root privileges. Winning the race could take a few minutes. This Metasploit module has been tested successfully on ABRT packaged version 2.1.5-1.fc19 on Fedora Desktop 19 x86_64, 2.2.1-1.fc19 on Fedora Desktop 19 x86_64 and 2.2.2-2.fc20 on Fedora Desktop 20 x86_64. Fedora 21 and Red Hat 7 systems are reportedly affected, but untested.

tags | exploit, arbitrary, local, root
systems | linux, redhat, fedora
advisories | CVE-2015-3315
MD5 | 3c4dcedecdad12c4db50bc8906bc04a4
glibc '$ORIGIN' Expansion Privilege Escalation
Posted Feb 10, 2018
Authored by Tavis Ormandy, Brendan Coles | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker. glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the LD_AUDIT environment variable when loading setuid executables which allows control over the $ORIGIN library search path resulting in execution of arbitrary shared objects. This Metasploit module opens a file descriptor to the specified suid executable via a hard link, then replaces the hard link with a shared object before instructing the linker to execute the file descriptor, resulting in arbitrary code execution. The specified setuid binary must be readable and located on the same file system partition as the specified writable directory. This Metasploit module has been tested successfully on glibc version 2.5 on CentOS 5.4 (x86_64), 2.5 on CentOS 5.5 (x86_64) and 2.12 on Fedora 13 (i386). RHEL 5 is reportedly affected, but untested. Some versions of ld.so hit a failed assertion in dl_open_worker causing exploitation to fail.

tags | exploit, arbitrary, root, code execution
systems | linux, fedora, centos
advisories | CVE-2010-3847
MD5 | e8b55dc3fe5f3080c962d9dabae028c4
glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation
Posted Feb 10, 2018
Authored by Marco Ivaldi, Tavis Ormandy, Todor Donev, zx2c4, Brendan Coles | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker. glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the LD_AUDIT environment variable when loading setuid executables. This allows loading arbitrary shared objects from the trusted library search path with the privileges of the suid user. This Metasploit module uses LD_AUDIT to load the libpcprofile.so shared object, distributed with some versions of glibc, and leverages arbitrary file creation functionality in the library constructor to write a root-owned world-writable file to a system trusted search path (usually /lib). The file is then overwritten with a shared object then loaded with LD_AUDIT resulting in arbitrary code execution. This Metasploit module has been tested successfully on glibc version 2.11.1 on Ubuntu 10.04 x86_64 and version 2.7 on Debian 5.0.4 i386. RHEL 5 is reportedly affected, but untested. Some glibc distributions do not contain the libpcprofile.so library required for successful exploitation.

tags | exploit, arbitrary, root, code execution
systems | linux, debian, ubuntu
advisories | CVE-2010-3847, CVE-2010-3856
MD5 | 2bf9e1106acf9e1f0a7b618fe7f2da3f
Grammarly Auth Token Exposure
Posted Feb 6, 2018
Authored by Tavis Ormandy, Google Security Research

The Grammarly chrome extension (approximately ~20M users) exposes it's auth tokens to all websites, therefore any website can login to grammarly.com as you and access all your documents, history, logs, and all other data.

tags | advisory
MD5 | f106da528a9f256ae05df2217aee22c3
Apport / ABRT chroot Privilege Escalation
Posted Feb 3, 2018
Authored by Tavis Ormandy, Brendan Coles, StA(c)phane Graber, Ricardo F. Teixeira | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by invoking the default coredump handler inside a namespace ("container"). Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are vulnerable, due to a feature which allows forwarding reports to a container's Apport by changing the root directory before loading the crash report, causing 'usr/share/apport/apport' within the crashed task's directory to be executed. Similarly, Fedora is vulnerable when the kernel crash handler is configured to change root directory before executing ABRT, causing 'usr/libexec/abrt-hook-ccpp' within the crashed task's directory to be executed. In both instances, the crash handler does not drop privileges, resulting in code execution as root. This Metasploit module has been tested successfully on Apport 2.14.1 on Ubuntu 14.04.1 LTS x86 and x86_64 and ABRT on Fedora 19 and 20 x86_64.

tags | exploit, x86, kernel, root, code execution
systems | linux, fedora, ubuntu
advisories | CVE-2015-1318
MD5 | 1dc9fd5c90665c8934d2712e757240c3
Blizzard Agent RPC Auth DNS Rebinding
Posted Jan 23, 2018
Authored by Tavis Ormandy, Google Security Research

Blizzard's agent rpc authentication mechanism is vulnerable to DNS rebinding attacks.

tags | exploit
MD5 | b6789d74b5b3b1095d488a9c4d2dcf9d
Transmission RPC Session-ID Mechanism Design Flaw
Posted Jan 12, 2018
Authored by Tavis Ormandy, Google Security Research

The Transmission bittorrent client suffers from an RPC session-id mechanism design flaw.

tags | exploit
MD5 | e90bb59ff19cae369a362b93ce42c18d
Microsoft Windows Win32k DC Cache Corruption
Posted Jan 6, 2018
Authored by Tavis Ormandy, Google Security Research

A Microsoft Windows win32k vulnerability has been discovered where using SetClassLong to switch between CS_CLASSDC and CS_OWNDC corrupts DC cache.

tags | exploit
MD5 | 8113190717c63674dc3b7883ef21c7bd
Keeper Privileged UI Injection
Posted Dec 15, 2017
Authored by Tavis Ormandy, Google Security Research

Microsoft Windows 10 is forcibly installing the Keeper password manager which injects privileged UI's into pages.

tags | exploit
systems | windows
MD5 | cffd7bc598b1b7d4cd593b6b402424e4
Cisco WebEx GPC Sanitization Bypasses / Command Execution
Posted Jul 18, 2017
Authored by Tavis Ormandy, Google Security Research

Various GPC Sanitization bypasses exist in Cisco WebEx that can permit from arbitrary remote command execution.

tags | exploit, remote, arbitrary
systems | cisco
MD5 | d813975ef580e832e44c2ebb87aba929
Microsoft MsMpEng VFS API Heap Corruption
Posted Jun 24, 2017
Authored by Tavis Ormandy, Google Security Research

The Microsoft MsMpEng mpengine x86 emulator suffers from a heap corruption vulnerability in VFS API.

tags | exploit, x86
MD5 | ad6ec64ce4f80c869242f035e8688c22
Samba is_known_pipename() Arbitrary Module Load
Posted May 27, 2017
Authored by H D Moore, Tavis Ormandy, Brendan Coles, steelo | Site metasploit.com

This Metasploit module triggers an arbitrary shared library load vulnerability in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This Metasploit module requires valid credentials, a writeable folder in an accessible share, and knowledge of the server-side path of the writeable folder. In some cases, anonymous access combined with common filesystem locations can be used to automatically exploit this vulnerability.

tags | exploit, arbitrary
advisories | CVE-2017-7494
MD5 | 540c24e5e6cfcfa8e2adea53b8b83491
Microsoft MsMpEng Privilege Escalation
Posted May 25, 2017
Authored by Tavis Ormandy, Google Security Research

Microsoft MsMpEng suffers from multiple privilege escalation vulnerabilities.

tags | exploit, vulnerability
MD5 | ec65f4c78436e5fdf5b9539b39e25b94
Microsoft MsMpEng UIF Decoder Denial Of Service
Posted May 11, 2017
Authored by Tavis Ormandy, Google Security Research

Microsoft MsMpEng suffers from an issue where the UIF decoder will spin forever processing sparse blocks.

tags | exploit
MD5 | 825eed3bdbfc56aab392d700b9138c36
Page 1 of 6
Back12345Next

File Archive:

October 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    26 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    2 Files
  • 7
    Oct 7th
    3 Files
  • 8
    Oct 8th
    23 Files
  • 9
    Oct 9th
    16 Files
  • 10
    Oct 10th
    15 Files
  • 11
    Oct 11th
    19 Files
  • 12
    Oct 12th
    16 Files
  • 13
    Oct 13th
    2 Files
  • 14
    Oct 14th
    2 Files
  • 15
    Oct 15th
    15 Files
  • 16
    Oct 16th
    20 Files
  • 17
    Oct 17th
    19 Files
  • 18
    Oct 18th
    21 Files
  • 19
    Oct 19th
    16 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close