exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 167 RSS Feed

Files from Tavis Ormandy

Email addresstaviso at google.com
First Active2006-10-09
Last Active2022-12-06
Evernote Web Clipper Same-Origin Policy Bypass
Posted Dec 6, 2022
Authored by Tavis Ormandy, Google Security Research

Evernote Web Clipper suffered from a same-origin policy bypass vulnerability. The link to the demo exploit was a 403 at the time of addition and has not been included in this post.

tags | advisory, web, bypass
SHA-256 | edeb6d56c9d50dfe6a6599592c18c494c4d5dc6ad6ea545586270e0e19511589
123elf Project Buffer Overflow
Posted Sep 6, 2022
Authored by Tavis Ormandy

A stack buffer overflow was reported in the cell format processing routines for 123elf, a project that brings Lotus 1-2-3 to Linux. If a victim opens an untrusted malicious worksheet, code execution could occur.

tags | advisory, overflow, code execution
systems | linux
SHA-256 | 5476d681c79c06b3da58fefb626a51d12aa1fe3643baa4e0015d28e482653efb
Mutt mutt_decode_uuencoded() Memory Disclosure
Posted Jul 11, 2022
Authored by Tavis Ormandy, Google Security Research

In mutt_decode_uuencoded(), the line length is read from the untrusted uuencoded part without validation. This could result in including private memory in replys, for example fragments of other messages, passphrases or keys.

tags | exploit
advisories | CVE-2022-1328
SHA-256 | 1a0da9d9e3bf42ea5367e18954311a408e444a40a4960bbf41e240bbab050a63
OpenSSL 1.0.2 / 1.1.1 / 3.0 BN_mod_sqrt() Infinite Loop
Posted Jun 1, 2022
Authored by Tavis Ormandy, Google Security Research

The BN_mod_sqrt() function in OpenSSL versions 1.0.2, 1.1.1, and 3.0, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli.

tags | exploit, root
advisories | CVE-2022-0778
SHA-256 | b8c560eda5504347f10dd0a9166545d0f6d2637eb9ca4cc2944f2c46e26d7f2b
NSS Signature Validation Memory Corruption
Posted Dec 1, 2021
Authored by Tavis Ormandy, Google Security Research

NSS (Network Security Services), Mozilla project's cross-platform security library, suffers from a memory corruption flaw when validating ECDSA signatures.

tags | exploit
advisories | CVE-2021-43527
SHA-256 | a1b02e73db5dff5112196a0630115a92894c1a5c5871dfbfe6cb9a06a3c35921
MpEngine ASProtect Embedded Runtime DLL Memory Corruption
Posted Jul 8, 2021
Authored by Tavis Ormandy, Google Security Research

ASProtect embeds a runtime DLL that is susceptible to memory corruption. Crash testcase provided.

tags | exploit
advisories | CVE-2021-31985
SHA-256 | 0c3af34dac839cc3563beab4f1f82c631a6e7dd6c3f3f188065945c4051eb6f1
Fedora / Gnome fscaps Issue
Posted Jun 22, 2021
Authored by Tavis Ormandy, Google Security Research

Fedora with Gnome has an issue where it is not using fscaps safely.

tags | exploit
systems | linux, fedora
SHA-256 | 5fe12d617595a462d2a4fb41da183c392412f1d518d9ef97c94501d8e6a9f976
xscreensaver Raw Socket Leak
Posted Apr 19, 2021
Authored by Tavis Ormandy, Google Security Research

xscreensaver suffers from a raw socket leak vulnerability. Proof of concept exploit demonstrates running tcpdump via this issue.

tags | exploit, proof of concept
SHA-256 | a74cc45ea68b70f270c15c99358f40c1fcb59221f47186a18d8ffa318f810cf8
GPG libgcrypt Heap Buffer Overflow
Posted Feb 1, 2021
Authored by Tavis Ormandy, Google Security Research

There is a heap buffer overflow in libgcrypt due to an incorrect assumption in the block buffer management code. Just decrypting some data can overflow a heap buffer with attacker controlled data and no verification or signature is validated before the vulnerability occurs.

tags | exploit, overflow
SHA-256 | 116febb937a201a0c4eba25cc3b30fe506befd25359b35fcac75d7c488a642f1
Glibc Character Conversion Assertion
Posted Jan 29, 2021
Authored by Tavis Ormandy, Google Security Research

If an application uses iconv() with an attacker specified character set, there's an assertion in the gconv buffer management code that can be triggered, crashing the application. The crash only occurs with ISO-2022-JP-3 encoding.

tags | advisory
SHA-256 | c6a21c4fe097d825b800e707fc854c169f367c24e1653ab4813d566b22024d97
Avast Array.prototype.toString Out-Of-Bounds Copy
Posted Jun 1, 2020
Authored by Tavis Ormandy, Google Security Research

Avast suffers from an out-of-bounds copy vulnerability in Array.prototype.toString.

tags | exploit
SHA-256 | f4c86758a5b59c76013f851557aec88b7d5f007b50dc4f53d8f8f4cc173c71b3
SecureCRT Memory Corruption
Posted May 15, 2020
Authored by Tavis Ormandy, Google Security Research

SecureCRT suffers from a memory corruption vulnerability in CSI functions.

tags | exploit
advisories | CVE-2020-12651
SHA-256 | e059a439c55289e0f1a5019136f7bbd0d69fc1efd9b8d3c24ced68d1c3f9d004
systemd-machined Incorrect Reference Decrement
Posted Feb 7, 2020
Authored by Tavis Ormandy, Google Security Research

systemd has an issue in systemd-machined where it decrements the reference count when references are still held.

tags | exploit
SHA-256 | 61c6cbf275014763c6c3968d740672023ca6b09cb865c03cf57eb22ce22304c9
Grub2 grub2-set-bootflag Environment Corruption
Posted Nov 27, 2019
Authored by Tavis Ormandy, Google Security Research

Grub2 has grub2-set-bootflag setuid in the new Fedora release and has the ability to corrupt the environment.

tags | exploit
systems | linux, fedora
SHA-256 | 8b02b403cb65d197b55d479f14ebd82a934af9eca331f69bc357e66acc8a31b2
Visual Studio Code Remote Debugger Enabled
Posted Oct 11, 2019
Authored by Tavis Ormandy, Google Security Research

Visual Studio Code enables its remote debugger by default when installed.

tags | exploit, remote
SHA-256 | 6d9478dfbda57a569b646654397e12976adc4715dd2149ef3b1735181e045a80
LastPass Credential Leak From Previous Site
Posted Sep 16, 2019
Authored by Tavis Ormandy, Google Security Research

LastPass suffers from an issue where bypassing do_popupregister() leaks credentials from the previous site.

tags | exploit
SHA-256 | e91aef0b7b7de488bc6fb1b7167218cb57d0484b98f8e1376f39b3cadbd7f574
msctf Text Services Framework Design Flaws
Posted Aug 13, 2019
Authored by Tavis Ormandy, Google Security Research

msctf in the Text Services Framework suffers from multiple design flaws that can lead to things like UIPI bypass and interfering with processes.

tags | exploit
SHA-256 | 0e5628d9aca7d795d63bbbab493631e98a1f4027dfdef9907adbf02de03caa93
SymCrypt Infinite Loop
Posted Jun 12, 2019
Authored by Tavis Ormandy, Google Security Research

There's a bug in the SymCrypt multi-precision arithmetic routines that can cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric.

tags | exploit
SHA-256 | 77ebee2e76c83cac1e5410a53acbe10f9b0064d421f6789060e5502ae995009e
SystemTap 1.3 MODPROBE_OPTIONS Privilege Escalation
Posted Apr 19, 2019
Authored by Tavis Ormandy, Brendan Coles | Site metasploit.com

This Metasploit module attempts to gain root privileges by exploiting a vulnerability in the staprun executable included with SystemTap version 1.3. The staprun executable does not clear environment variables prior to executing modprobe, allowing an arbitrary configuration file to be specified in the MODPROBE_OPTIONS environment variable, resulting in arbitrary command execution with root privileges. This module has been tested successfully on: systemtap 1.2-1.fc13-i686 on Fedora 13 (i686); and systemtap 1.1-3.el5 on RHEL 5.5 (x64).

tags | exploit, arbitrary, root
systems | linux, fedora
advisories | CVE-2010-4170
SHA-256 | 57d955347310170d1a380dba46ef41462b10f297e733fec17201a3831094af3b
GnuTLS verify_crt() Use-After-Free
Posted Mar 27, 2019
Authored by Tavis Ormandy, Google Security Research

This is a critical memory corruption vulnerability in any API backed by verify_crt(), including gnutls_x509_trust_list_verify_crt() and related routines in GnuTLS.

tags | exploit
SHA-256 | 533f01efe3a32a400eae85ee0cf901c9f9719f4ada7f40836cc2938e024c4866
NSS Netscape Certificate Sequences CERT_DecodeCertPackage() Crash
Posted Mar 21, 2019
Authored by Tavis Ormandy, Google Security Research

NSS suffers from a NULL dereference issue when parsing Netscape Certificate Sequences in CERT_DecodeCertPackage().

tags | exploit
SHA-256 | d7adf827b738a3a567689a46c8203967c3089100a538ccf2c1e1cb2e8236ad6c
MatrixSSL x.509 Certificate Verification Stack Buffer Overflow
Posted Feb 21, 2019
Authored by Tavis Ormandy, Google Security Research

MatrixSSL suffers from a stack buffer overflow vulnerability when verifying x.509 certificates.

tags | exploit, overflow
SHA-256 | 0ccbebf140226df810122f520adfba7097e335f9c1626f1162be12918d0909ff
Ghostscript Pseudo-Operator Remote Code Execution
Posted Jan 23, 2019
Authored by Tavis Ormandy, Google Security Research

Ghostscript has an issue with pseudo-operators that can lead to remote code execution. Version 9.26 is affected.

tags | exploit, remote, code execution
advisories | CVE-2019-6116
SHA-256 | 6f82dc2c71113403be2f8d208d1801454419d4178873a71ecf3e7231bb75fa9f
Razer Cortex Debugger Remote Command Execution
Posted Dec 17, 2018
Authored by Tavis Ormandy, Google Security Research

Razer Cortex has a CEF debugger stub enabled by default allowing arbitrary remote command execution.

tags | exploit, remote, arbitrary
SHA-256 | 267df7e61beec1f5f2d6d9774c5c877f1ddc00f3a30e520e9d2137cd66e5c7fb
Logitech Options Craft WebSocket Server Missing Authentication
Posted Dec 12, 2018
Authored by Tavis Ormandy, Google Security Research

The Logitech "Options" craft websocket server has no authentication.

tags | advisory
SHA-256 | 7c7de89f583ea659585f3e8dd4650ee29fa605c5b894ccd2a63a5c8f78b1c7da
Page 1 of 7
Back12345Next

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close