Exploit the possiblities
Showing 1 - 25 of 122 RSS Feed

Files from Tavis Ormandy

Email addresstaviso at google.com
First Active2006-10-09
Last Active2017-12-15
Keeper Privileged UI Injection
Posted Dec 15, 2017
Authored by Tavis Ormandy, Google Security Research

Microsoft Windows 10 is forcibly installing the Keeper password manager which injects privileged UI's into pages.

tags | exploit
systems | windows
MD5 | cffd7bc598b1b7d4cd593b6b402424e4
Cisco WebEx GPC Sanitization Bypasses / Command Execution
Posted Jul 18, 2017
Authored by Tavis Ormandy, Google Security Research

Various GPC Sanitization bypasses exist in Cisco WebEx that can permit from arbitrary remote command execution.

tags | exploit, remote, arbitrary
systems | cisco
MD5 | d813975ef580e832e44c2ebb87aba929
Microsoft MsMpEng VFS API Heap Corruption
Posted Jun 24, 2017
Authored by Tavis Ormandy, Google Security Research

The Microsoft MsMpEng mpengine x86 emulator suffers from a heap corruption vulnerability in VFS API.

tags | exploit, x86
MD5 | ad6ec64ce4f80c869242f035e8688c22
Samba is_known_pipename() Arbitrary Module Load
Posted May 27, 2017
Authored by H D Moore, Tavis Ormandy, Brendan Coles, steelo | Site metasploit.com

This Metasploit module triggers an arbitrary shared library load vulnerability in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This Metasploit module requires valid credentials, a writeable folder in an accessible share, and knowledge of the server-side path of the writeable folder. In some cases, anonymous access combined with common filesystem locations can be used to automatically exploit this vulnerability.

tags | exploit, arbitrary
advisories | CVE-2017-7494
MD5 | 540c24e5e6cfcfa8e2adea53b8b83491
Microsoft MsMpEng Privilege Escalation
Posted May 25, 2017
Authored by Tavis Ormandy, Google Security Research

Microsoft MsMpEng suffers from multiple privilege escalation vulnerabilities.

tags | exploit, vulnerability
MD5 | ec65f4c78436e5fdf5b9539b39e25b94
Microsoft MsMpEng UIF Decoder Denial Of Service
Posted May 11, 2017
Authored by Tavis Ormandy, Google Security Research

Microsoft MsMpEng suffers from an issue where the UIF decoder will spin forever processing sparse blocks.

tags | exploit
MD5 | 825eed3bdbfc56aab392d700b9138c36
Windows MsMpEng Type Confusion
Posted May 8, 2017
Authored by Tavis Ormandy, Google Security Research

MPEngine MsMpEng in Microsoft Windows 8, 8.1, 10, Windows Server, SCEP, Microsoft Security Essentials, and more suffers from a remotely exploitable type confusion.

tags | exploit
systems | windows
MD5 | 07cc50f6e180f0a990ef6da181eca171
Nintendo 3DS DNS Client Resolver Predictable TXID
Posted Apr 13, 2017
Authored by Tavis Ormandy, Google Security Research

The Nintendo 3DS DNS client resolver library uses a predictable (incremented) TXID allowing for the spoofing of responses.

tags | exploit, spoof
MD5 | 1a36d85c0eeb7997eb6742ffbdb2d91c
LastPass Remote Code Execution
Posted Apr 10, 2017
Authored by Tavis Ormandy, Google Security Research

LastPass allows global properties to be modified across isolated worlds allowing for remote code execution.

tags | exploit, remote, code execution
MD5 | 50eb651f9e9bdc8f3916e6eac9c5558e
LastPass Domain Design Flaw
Posted Mar 23, 2017
Authored by Tavis Ormandy, Google Security Research

The LastPass domain regex does not handle data and other pseudo-url schemes.

tags | exploit
MD5 | 1fe1ae70f7001f2eb8fbec14b1f8b281
LastPass FireFox Content Script Loading
Posted Mar 23, 2017
Authored by Tavis Ormandy, Google Security Research

LastPass had an issue with websiteConnector.js content script allows proxying internal RPC commands. The fix appears to not work on FireFox.

tags | exploit
MD5 | abcd3f3e4f7ccd17975ddc4515a7bac7
LastPass websiteConnector.js RPC Command Proxy
Posted Mar 22, 2017
Authored by Tavis Ormandy, Google Security Research

websiteConnector.js content script in LastPass allows for proxying of internal RPC commands.

tags | exploit
MD5 | 50e598e932c325522ceaeac12c4c8f35
Cloudflare Memory Dumping Reverse Proxies
Posted Feb 24, 2017
Authored by Tavis Ormandy, Google Security Research

Cloudflare has reverse proxies that are dumping uninitialized memory.

tags | exploit
MD5 | d2004124226a0f5f28f259b38ffc3249
Cisco WebEx Chrome Extension Remote Command Execution
Posted Feb 1, 2017
Authored by Tavis Ormandy | Site metasploit.com

This Metasploit module exploits a vulnerability present in the Cisco WebEx Chrome Extension version 1.0.1 which allows an attacker to execute arbitrary commands on a system.

tags | exploit, arbitrary
systems | cisco
advisories | CVE-2017-3823
MD5 | ced9b1d7861a4400eae194631236378e
Cisco WebEx 1.0.5 Command Execution
Posted Jan 26, 2017
Authored by Tavis Ormandy, Google Security Research

Cisco WebEx version 1.0.5 suffers from a new arbitrary command execution vulnerability via a module whitelist bypass.

tags | exploit, arbitrary
systems | cisco
MD5 | 8933612c9e940d293efd165554d1e413
Cisco Magic WebEx URL Remote Command Execution
Posted Jan 24, 2017
Authored by Tavis Ormandy, Google Security Research

Cisco's WebEx extension has a URL that allows for arbitrary remote command execution.

tags | exploit, remote, arbitrary
systems | cisco
MD5 | 6d8494bf209f0415ffc09615875ad72e
Kaspersky SSL Interception Differentiation
Posted Jan 3, 2017
Authored by Tavis Ormandy, Google Security Research

In order to inspect encrypted data streams using SSL/TLS, Kaspersky installs a WFP driver to intercept all outgoing HTTPS connections. They effectively proxy SSL connections, inserting their own certificate as a trusted authority in the system store and then replace all leaf certificates on-the-fly. This is why if you examine a certificate when using Kaspersky Antivirus, the issuer appears to be "Kaspersky Anti-Virus Personal Root". Kaspersky's certificate interception has previously resulted in serious vulnerabilities, but quick review finds many simple problems still exist. For example, the way leaf certificates are cached uses an extremely naive fingerprinting technique. Kaspersky cache recently generated certificates in memory in case the user agent initiates another connection. In order to do this, Kaspersky fetches the certificate chain and then checks if it's already generated a matching leaf certificate in the cache. If it has, it just grabs the existing certificate and private key and then reuses it for the new connection. The cache is a binary tree, and as new leaf certificates and keys are generated, they're inserted using the first 32 bits of MD5(serialNumber||issuer) as the key. If a match is found for a key, they just pull the previously generated certificate and key out of the binary tree and start using it to relay data to the user-agent. You don't have to be a cryptographer to understand a 32bit key is not enough to prevent brute-forcing a collision in seconds. In fact, producing a collision with any other certificate is trivial.

tags | exploit, web, root, vulnerability, virus
MD5 | 2546662d9e3ac6122c369f4d26198f24
Kaspersky Local CA Root Protected Incorrectly
Posted Jan 3, 2017
Authored by Tavis Ormandy, Google Security Research

Kaspersky fails to adequately protect its local CA root.

tags | advisory, local, root
MD5 | 2f3e65e92f2365a4a0e084696bd1c4c7
Palo Alto Networks PanOS root_reboot Privilege Escalation
Posted Nov 19, 2016
Authored by Tavis Ormandy, Google Security Research

Palo Alto Networks PanOS suffers from a root_reboot local privilege escalation vulnerability.

tags | exploit, local
MD5 | 66f01acd7fbf9a516869b366dd638a97
Palo Alto Networks PanOS root_trace Privilege Escalation
Posted Nov 19, 2016
Authored by Tavis Ormandy, Google Security Research

Palo Alto Networks PanOS suffers from a root_trace local privilege escalation vulnerability.

tags | exploit, local
MD5 | e47b997a2a0d04e529b3f7893ed7bc57
Palo Alto Networks PanOS Buffer Overflow
Posted Nov 19, 2016
Authored by Tavis Ormandy, Google Security Research

Palo Alto Networks PanOS suffers from a stack buffer overflow in the appweb3 embedded webserver.

tags | advisory, overflow
MD5 | 664bd66ebc38fa83fec6cef539b711ad
1Password Process Authentication Breaks Local Security
Posted Nov 14, 2016
Authored by Tavis Ormandy, Google Security Research

There are a number of problems with the security model of 1Password that results in the local security model being disabled, as well as a number of security, sandboxing and virtualization features.

tags | exploit, local
MD5 | 6d8738225de2b40d28c7ce7d16e94d95
Ghostscript -dSAFER Not Working
Posted Oct 2, 2016
Authored by Tavis Ormandy, Google Security Research

The ghostscript -dSAFER parameter that is used when handling untrusted documents appears broken on multiple distributions. This could result in arbitrary file disclosure on systems that process pdf, ps, use ImageMagick or graphicsmagick, etc.

tags | exploit, arbitrary
MD5 | 90b620e820ea623c87fbe30ee96b9162
Symantec Outdated RAR Decomposer
Posted Sep 21, 2016
Authored by Tavis Ormandy, Google Security Research

Symantec Antivirus includes RAR unpacking memory corruption issues that can lead to remote code execution.

tags | exploit, remote, code execution
MD5 | 862639ce99ef36267802bfc993938c09
Dashlane doOnboardingSiteStep API Cross Site Scripting
Posted Sep 8, 2016
Authored by Tavis Ormandy, Google Security Research

Dashlane suffers from a cross site scripting vulnerability in the doOnboardingSiteStep API.

tags | exploit, xss
MD5 | 2ed024b727570d7e517255e81b95ccf2
Page 1 of 5
Back12345Next

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    41 Files
  • 12
    Dec 12th
    44 Files
  • 13
    Dec 13th
    25 Files
  • 14
    Dec 14th
    15 Files
  • 15
    Dec 15th
    28 Files
  • 16
    Dec 16th
    3 Files
  • 17
    Dec 17th
    13 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close