Twenty Year Anniversary
Showing 1 - 25 of 134 RSS Feed

Files from Tavis Ormandy

Email addresstaviso at google.com
First Active2006-10-09
Last Active2018-04-17
FromDocToPdf Browser History Disclosure
Posted Apr 17, 2018
Authored by Tavis Ormandy, Google Security Research

FromDocToPdf exposes browsing history to all websites.

tags | advisory
MD5 | a8432820a6f1a3e3079881f89fa100f9
Video Downloader Universal Cross Site Scripting
Posted Apr 6, 2018
Authored by Tavis Ormandy, Google Security Research

The Video Downloader Chrome extension suffers from a universal cross site scripting vulnerability.

tags | exploit, xss
MD5 | 7773a2a48a1659869a5f513b21355dfb
glibc LD_AUDIT libmemusage.so RHEL-Based Arbitrary DSO Load Privilege Escalation
Posted Mar 30, 2018
Authored by Marco Ivaldi, Tavis Ormandy, Todor Donev, zx2c4, Brendan Coles | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker with libmemusage.so library.

tags | exploit, root
systems | linux
advisories | CVE-2010-3847, CVE-2010-3856
MD5 | 82d002207d92e79c81d147d0cbc73594
Transmission Torrent Parsing Integer Overflows
Posted Feb 26, 2018
Authored by Tavis Ormandy, Google Security Research

Torrent file parsing in libtransmission suffers from overflow vulnerabilities.

tags | exploit, overflow, vulnerability
MD5 | 04af27b8c3d0769c9ab52678f28df4a4
ABRT raceabrt Privilege Escalation
Posted Feb 15, 2018
Authored by Tavis Ormandy | Site metasploit.com

This Metasploit module attempts to gain root privileges on Fedora systems with a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured as the crash handler. A race condition allows local users to change ownership of arbitrary files (CVE-2015-3315). This Metasploit module uses a symlink attack on '/var/tmp/abrt/*/maps' to change the ownership of /etc/passwd, then adds a new user with UID=0 GID=0 to gain root privileges. Winning the race could take a few minutes. This Metasploit module has been tested successfully on ABRT packaged version 2.1.5-1.fc19 on Fedora Desktop 19 x86_64, 2.2.1-1.fc19 on Fedora Desktop 19 x86_64 and 2.2.2-2.fc20 on Fedora Desktop 20 x86_64. Fedora 21 and Red Hat 7 systems are reportedly affected, but untested.

tags | exploit, arbitrary, local, root
systems | linux, redhat, fedora
advisories | CVE-2015-3315
MD5 | 3c4dcedecdad12c4db50bc8906bc04a4
glibc '$ORIGIN' Expansion Privilege Escalation
Posted Feb 10, 2018
Authored by Tavis Ormandy, Brendan Coles | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker. glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the LD_AUDIT environment variable when loading setuid executables which allows control over the $ORIGIN library search path resulting in execution of arbitrary shared objects. This Metasploit module opens a file descriptor to the specified suid executable via a hard link, then replaces the hard link with a shared object before instructing the linker to execute the file descriptor, resulting in arbitrary code execution. The specified setuid binary must be readable and located on the same file system partition as the specified writable directory. This Metasploit module has been tested successfully on glibc version 2.5 on CentOS 5.4 (x86_64), 2.5 on CentOS 5.5 (x86_64) and 2.12 on Fedora 13 (i386). RHEL 5 is reportedly affected, but untested. Some versions of ld.so hit a failed assertion in dl_open_worker causing exploitation to fail.

tags | exploit, arbitrary, root, code execution
systems | linux, fedora, centos
advisories | CVE-2010-3847
MD5 | e8b55dc3fe5f3080c962d9dabae028c4
glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation
Posted Feb 10, 2018
Authored by Marco Ivaldi, Tavis Ormandy, Todor Donev, zx2c4, Brendan Coles | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker. glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the LD_AUDIT environment variable when loading setuid executables. This allows loading arbitrary shared objects from the trusted library search path with the privileges of the suid user. This Metasploit module uses LD_AUDIT to load the libpcprofile.so shared object, distributed with some versions of glibc, and leverages arbitrary file creation functionality in the library constructor to write a root-owned world-writable file to a system trusted search path (usually /lib). The file is then overwritten with a shared object then loaded with LD_AUDIT resulting in arbitrary code execution. This Metasploit module has been tested successfully on glibc version 2.11.1 on Ubuntu 10.04 x86_64 and version 2.7 on Debian 5.0.4 i386. RHEL 5 is reportedly affected, but untested. Some glibc distributions do not contain the libpcprofile.so library required for successful exploitation.

tags | exploit, arbitrary, root, code execution
systems | linux, debian, ubuntu
advisories | CVE-2010-3847, CVE-2010-3856
MD5 | 2bf9e1106acf9e1f0a7b618fe7f2da3f
Grammarly Auth Token Exposure
Posted Feb 6, 2018
Authored by Tavis Ormandy, Google Security Research

The Grammarly chrome extension (approximately ~20M users) exposes it's auth tokens to all websites, therefore any website can login to grammarly.com as you and access all your documents, history, logs, and all other data.

tags | advisory
MD5 | f106da528a9f256ae05df2217aee22c3
Apport / ABRT chroot Privilege Escalation
Posted Feb 3, 2018
Authored by Tavis Ormandy, Brendan Coles, StA(c)phane Graber, Ricardo F. Teixeira | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by invoking the default coredump handler inside a namespace ("container"). Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are vulnerable, due to a feature which allows forwarding reports to a container's Apport by changing the root directory before loading the crash report, causing 'usr/share/apport/apport' within the crashed task's directory to be executed. Similarly, Fedora is vulnerable when the kernel crash handler is configured to change root directory before executing ABRT, causing 'usr/libexec/abrt-hook-ccpp' within the crashed task's directory to be executed. In both instances, the crash handler does not drop privileges, resulting in code execution as root. This Metasploit module has been tested successfully on Apport 2.14.1 on Ubuntu 14.04.1 LTS x86 and x86_64 and ABRT on Fedora 19 and 20 x86_64.

tags | exploit, x86, kernel, root, code execution
systems | linux, fedora, ubuntu
advisories | CVE-2015-1318
MD5 | 1dc9fd5c90665c8934d2712e757240c3
Blizzard Agent RPC Auth DNS Rebinding
Posted Jan 23, 2018
Authored by Tavis Ormandy, Google Security Research

Blizzard's agent rpc authentication mechanism is vulnerable to DNS rebinding attacks.

tags | exploit
MD5 | b6789d74b5b3b1095d488a9c4d2dcf9d
Transmission RPC Session-ID Mechanism Design Flaw
Posted Jan 12, 2018
Authored by Tavis Ormandy, Google Security Research

The Transmission bittorrent client suffers from an RPC session-id mechanism design flaw.

tags | exploit
MD5 | e90bb59ff19cae369a362b93ce42c18d
Microsoft Windows Win32k DC Cache Corruption
Posted Jan 6, 2018
Authored by Tavis Ormandy, Google Security Research

A Microsoft Windows win32k vulnerability has been discovered where using SetClassLong to switch between CS_CLASSDC and CS_OWNDC corrupts DC cache.

tags | exploit
MD5 | 8113190717c63674dc3b7883ef21c7bd
Keeper Privileged UI Injection
Posted Dec 15, 2017
Authored by Tavis Ormandy, Google Security Research

Microsoft Windows 10 is forcibly installing the Keeper password manager which injects privileged UI's into pages.

tags | exploit
systems | windows
MD5 | cffd7bc598b1b7d4cd593b6b402424e4
Cisco WebEx GPC Sanitization Bypasses / Command Execution
Posted Jul 18, 2017
Authored by Tavis Ormandy, Google Security Research

Various GPC Sanitization bypasses exist in Cisco WebEx that can permit from arbitrary remote command execution.

tags | exploit, remote, arbitrary
systems | cisco
MD5 | d813975ef580e832e44c2ebb87aba929
Microsoft MsMpEng VFS API Heap Corruption
Posted Jun 24, 2017
Authored by Tavis Ormandy, Google Security Research

The Microsoft MsMpEng mpengine x86 emulator suffers from a heap corruption vulnerability in VFS API.

tags | exploit, x86
MD5 | ad6ec64ce4f80c869242f035e8688c22
Samba is_known_pipename() Arbitrary Module Load
Posted May 27, 2017
Authored by H D Moore, Tavis Ormandy, Brendan Coles, steelo | Site metasploit.com

This Metasploit module triggers an arbitrary shared library load vulnerability in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This Metasploit module requires valid credentials, a writeable folder in an accessible share, and knowledge of the server-side path of the writeable folder. In some cases, anonymous access combined with common filesystem locations can be used to automatically exploit this vulnerability.

tags | exploit, arbitrary
advisories | CVE-2017-7494
MD5 | 540c24e5e6cfcfa8e2adea53b8b83491
Microsoft MsMpEng Privilege Escalation
Posted May 25, 2017
Authored by Tavis Ormandy, Google Security Research

Microsoft MsMpEng suffers from multiple privilege escalation vulnerabilities.

tags | exploit, vulnerability
MD5 | ec65f4c78436e5fdf5b9539b39e25b94
Microsoft MsMpEng UIF Decoder Denial Of Service
Posted May 11, 2017
Authored by Tavis Ormandy, Google Security Research

Microsoft MsMpEng suffers from an issue where the UIF decoder will spin forever processing sparse blocks.

tags | exploit
MD5 | 825eed3bdbfc56aab392d700b9138c36
Windows MsMpEng Type Confusion
Posted May 8, 2017
Authored by Tavis Ormandy, Google Security Research

MPEngine MsMpEng in Microsoft Windows 8, 8.1, 10, Windows Server, SCEP, Microsoft Security Essentials, and more suffers from a remotely exploitable type confusion.

tags | exploit
systems | windows
MD5 | 07cc50f6e180f0a990ef6da181eca171
Nintendo 3DS DNS Client Resolver Predictable TXID
Posted Apr 13, 2017
Authored by Tavis Ormandy, Google Security Research

The Nintendo 3DS DNS client resolver library uses a predictable (incremented) TXID allowing for the spoofing of responses.

tags | exploit, spoof
MD5 | 1a36d85c0eeb7997eb6742ffbdb2d91c
LastPass Remote Code Execution
Posted Apr 10, 2017
Authored by Tavis Ormandy, Google Security Research

LastPass allows global properties to be modified across isolated worlds allowing for remote code execution.

tags | exploit, remote, code execution
MD5 | 50eb651f9e9bdc8f3916e6eac9c5558e
LastPass Domain Design Flaw
Posted Mar 23, 2017
Authored by Tavis Ormandy, Google Security Research

The LastPass domain regex does not handle data and other pseudo-url schemes.

tags | exploit
MD5 | 1fe1ae70f7001f2eb8fbec14b1f8b281
LastPass FireFox Content Script Loading
Posted Mar 23, 2017
Authored by Tavis Ormandy, Google Security Research

LastPass had an issue with websiteConnector.js content script allows proxying internal RPC commands. The fix appears to not work on FireFox.

tags | exploit
MD5 | abcd3f3e4f7ccd17975ddc4515a7bac7
LastPass websiteConnector.js RPC Command Proxy
Posted Mar 22, 2017
Authored by Tavis Ormandy, Google Security Research

websiteConnector.js content script in LastPass allows for proxying of internal RPC commands.

tags | exploit
MD5 | 50e598e932c325522ceaeac12c4c8f35
Cloudflare Memory Dumping Reverse Proxies
Posted Feb 24, 2017
Authored by Tavis Ormandy, Google Security Research

Cloudflare has reverse proxies that are dumping uninitialized memory.

tags | exploit
MD5 | d2004124226a0f5f28f259b38ffc3249
Page 1 of 6
Back12345Next

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

August 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    19 Files
  • 2
    Aug 2nd
    17 Files
  • 3
    Aug 3rd
    16 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    1 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    15 Files
  • 8
    Aug 8th
    9 Files
  • 9
    Aug 9th
    7 Files
  • 10
    Aug 10th
    10 Files
  • 11
    Aug 11th
    1 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    14 Files
  • 14
    Aug 14th
    4 Files
  • 15
    Aug 15th
    23 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close