exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 51 - 75 of 167 RSS Feed

Files from Tavis Ormandy

Email addresstaviso at google.com
First Active2006-10-09
Last Active2022-12-06
Microsoft MsMpEng UIF Decoder Denial Of Service
Posted May 11, 2017
Authored by Tavis Ormandy, Google Security Research

Microsoft MsMpEng suffers from an issue where the UIF decoder will spin forever processing sparse blocks.

tags | exploit
SHA-256 | 6836f45a69f6f071caf05f74b515b151a7337c71a449b6d44cc02c812c149f3e
Windows MsMpEng Type Confusion
Posted May 8, 2017
Authored by Tavis Ormandy, Google Security Research

MPEngine MsMpEng in Microsoft Windows 8, 8.1, 10, Windows Server, SCEP, Microsoft Security Essentials, and more suffers from a remotely exploitable type confusion.

tags | exploit
systems | windows
SHA-256 | 71f1e4c261be22330753db2dd368004f0b32b16209242b09131afbc4d41684fb
Nintendo 3DS DNS Client Resolver Predictable TXID
Posted Apr 13, 2017
Authored by Tavis Ormandy, Google Security Research

The Nintendo 3DS DNS client resolver library uses a predictable (incremented) TXID allowing for the spoofing of responses.

tags | exploit, spoof
SHA-256 | f5c21a78f99b5f6cde7c75e94a484f05c6eb123b704e14150dcd8700cbaa9823
LastPass Remote Code Execution
Posted Apr 10, 2017
Authored by Tavis Ormandy, Google Security Research

LastPass allows global properties to be modified across isolated worlds allowing for remote code execution.

tags | exploit, remote, code execution
SHA-256 | 9ed079fcb0d244aa6283137999747a3a863596c417d774f11999caccfd2cde18
LastPass Domain Design Flaw
Posted Mar 23, 2017
Authored by Tavis Ormandy, Google Security Research

The LastPass domain regex does not handle data and other pseudo-url schemes.

tags | exploit
SHA-256 | c0a8fe296712f524a32da5c517945525e5ab13ee7092ff234e231f8b07fc44f8
LastPass FireFox Content Script Loading
Posted Mar 23, 2017
Authored by Tavis Ormandy, Google Security Research

LastPass had an issue with websiteConnector.js content script allows proxying internal RPC commands. The fix appears to not work on FireFox.

tags | exploit
SHA-256 | 27d63cb0f60259717435f5611911b967a0c0559c6c2c10dfabac06098d0685e1
LastPass websiteConnector.js RPC Command Proxy
Posted Mar 22, 2017
Authored by Tavis Ormandy, Google Security Research

websiteConnector.js content script in LastPass allows for proxying of internal RPC commands.

tags | exploit
SHA-256 | c01b74d3513ae36c123c2c3bd27e5429944df7d35416e37f930ce4fb1b95e591
Cloudflare Memory Dumping Reverse Proxies
Posted Feb 24, 2017
Authored by Tavis Ormandy, Google Security Research

Cloudflare has reverse proxies that are dumping uninitialized memory.

tags | exploit
SHA-256 | 66511f241de1d3b330ddbb6ca920b62835261e611a2fa6e9a5e1f26923a423df
Cisco WebEx Chrome Extension Remote Command Execution
Posted Feb 1, 2017
Authored by Tavis Ormandy | Site metasploit.com

This Metasploit module exploits a vulnerability present in the Cisco WebEx Chrome Extension version 1.0.1 which allows an attacker to execute arbitrary commands on a system.

tags | exploit, arbitrary
systems | cisco
advisories | CVE-2017-3823
SHA-256 | 6c42287dc4186a67ead4ee41cfd7c7d1bcf0bc8d846ea957b70ad1e16c11f4df
Cisco WebEx 1.0.5 Command Execution
Posted Jan 26, 2017
Authored by Tavis Ormandy, Google Security Research

Cisco WebEx version 1.0.5 suffers from a new arbitrary command execution vulnerability via a module whitelist bypass.

tags | exploit, arbitrary
systems | cisco
SHA-256 | cca3ecf12e0dac1eb99404188e20bcca27a53567815273560c040946b9001609
Cisco Magic WebEx URL Remote Command Execution
Posted Jan 24, 2017
Authored by Tavis Ormandy, Google Security Research

Cisco's WebEx extension has a URL that allows for arbitrary remote command execution.

tags | exploit, remote, arbitrary
systems | cisco
SHA-256 | 38e70d300153f0f056a7136a948b0b4e1125d12a487e0e736084b746311e4b8a
Kaspersky SSL Interception Differentiation
Posted Jan 3, 2017
Authored by Tavis Ormandy, Google Security Research

In order to inspect encrypted data streams using SSL/TLS, Kaspersky installs a WFP driver to intercept all outgoing HTTPS connections. They effectively proxy SSL connections, inserting their own certificate as a trusted authority in the system store and then replace all leaf certificates on-the-fly. This is why if you examine a certificate when using Kaspersky Antivirus, the issuer appears to be "Kaspersky Anti-Virus Personal Root". Kaspersky's certificate interception has previously resulted in serious vulnerabilities, but quick review finds many simple problems still exist. For example, the way leaf certificates are cached uses an extremely naive fingerprinting technique. Kaspersky cache recently generated certificates in memory in case the user agent initiates another connection. In order to do this, Kaspersky fetches the certificate chain and then checks if it's already generated a matching leaf certificate in the cache. If it has, it just grabs the existing certificate and private key and then reuses it for the new connection. The cache is a binary tree, and as new leaf certificates and keys are generated, they're inserted using the first 32 bits of MD5(serialNumber||issuer) as the key. If a match is found for a key, they just pull the previously generated certificate and key out of the binary tree and start using it to relay data to the user-agent. You don't have to be a cryptographer to understand a 32bit key is not enough to prevent brute-forcing a collision in seconds. In fact, producing a collision with any other certificate is trivial.

tags | exploit, web, root, vulnerability, virus
SHA-256 | 62a363de88e0143fb1b6e4fbc89e03980ce4d3bb71f50510388690356f2ef1c2
Kaspersky Local CA Root Protected Incorrectly
Posted Jan 3, 2017
Authored by Tavis Ormandy, Google Security Research

Kaspersky fails to adequately protect its local CA root.

tags | advisory, local, root
SHA-256 | e616d063bcea88d45ea4488a02eadbbf74b14cc52e5b5963dad38248c18bd1aa
Palo Alto Networks PanOS root_reboot Privilege Escalation
Posted Nov 19, 2016
Authored by Tavis Ormandy, Google Security Research

Palo Alto Networks PanOS suffers from a root_reboot local privilege escalation vulnerability.

tags | exploit, local
SHA-256 | 77b90d6716d58a4f8b814a7d51d68c8130edeff0b31b29a1ae4d36ee5932035c
Palo Alto Networks PanOS root_trace Privilege Escalation
Posted Nov 19, 2016
Authored by Tavis Ormandy, Google Security Research

Palo Alto Networks PanOS suffers from a root_trace local privilege escalation vulnerability.

tags | exploit, local
SHA-256 | fa9287845339b7532fe00af817e6a9f334b941965b54b7b6772bb41d07ad920d
Palo Alto Networks PanOS Buffer Overflow
Posted Nov 19, 2016
Authored by Tavis Ormandy, Google Security Research

Palo Alto Networks PanOS suffers from a stack buffer overflow in the appweb3 embedded webserver.

tags | advisory, overflow
SHA-256 | 46316d54fe0b1eaeb6e793d9de3a88060515fc612e68480aff0ecc2569c52c70
1Password Process Authentication Breaks Local Security
Posted Nov 14, 2016
Authored by Tavis Ormandy, Google Security Research

There are a number of problems with the security model of 1Password that results in the local security model being disabled, as well as a number of security, sandboxing and virtualization features.

tags | exploit, local
SHA-256 | 8489830ab99717565de0b95fb8a62e1d6228d87f421b300b6a51b34ddfeba76b
Ghostscript -dSAFER Not Working
Posted Oct 2, 2016
Authored by Tavis Ormandy, Google Security Research

The ghostscript -dSAFER parameter that is used when handling untrusted documents appears broken on multiple distributions. This could result in arbitrary file disclosure on systems that process pdf, ps, use ImageMagick or graphicsmagick, etc.

tags | exploit, arbitrary
SHA-256 | dc280411e56c7501d5d20a65fe970344a58ad204857dc30600a3ba1be43070e4
Symantec Outdated RAR Decomposer
Posted Sep 21, 2016
Authored by Tavis Ormandy, Google Security Research

Symantec Antivirus includes RAR unpacking memory corruption issues that can lead to remote code execution.

tags | exploit, remote, code execution
SHA-256 | 9f57b2a3b52264e8df535a836560985566bdee33f433a00744602c523418b41f
Dashlane doOnboardingSiteStep API Cross Site Scripting
Posted Sep 8, 2016
Authored by Tavis Ormandy, Google Security Research

Dashlane suffers from a cross site scripting vulnerability in the doOnboardingSiteStep API.

tags | exploit, xss
SHA-256 | 8ae21cea6fb92d7febc9458b8ecef807dba56c0929a989b446a126174608f426
Keeper UI Injection
Posted Aug 28, 2016
Authored by Tavis Ormandy, Google Security Research

Keeper suffers from an issue where a trusted UI is injected into an untrusted webpage.

tags | exploit
SHA-256 | bc5f2d8563853d8fb0eb9f4dfe423eef486e80138fb54b3a704e0a4fe79e486d
LastPass 4.1.20a Communication Design Flaw
Posted Jul 28, 2016
Authored by Tavis Ormandy, Google Security Research

LastPass version 4.1.20a on Windows suffers from some issues where the add-on works by injecting elements and event handlers into the page. The attached proof of concept will delete a given file.

tags | exploit, proof of concept
systems | windows
SHA-256 | 251e29ebd27cfc49ad197f0294b26341778ad40b289cfd17cf8122679ada2ce7
Symantec PowerPoint Misaligned Stream-Cache Buffer Overflow
Posted Jun 29, 2016
Authored by Tavis Ormandy, Google Security Research

Symantec suffers from a PowerPoint misaligned stream-cache remote stack buffer overflow vulnerability.

tags | exploit, remote, overflow
systems | linux
advisories | CVE-2016-2209
SHA-256 | 052761903f16d88db4affd9da98d81a78c52c8c900fd66dad4540b019026eb1e
Symantec dec2zip ALPkOldFormatDecompressor::UnShrink Missing Bounds Check
Posted Jun 29, 2016
Authored by Tavis Ormandy, Google Security Research

Symantec suffers from a missing bounds checks in dec2zip ALPkOldFormatDecompressor::UnShrink.

tags | exploit
systems | linux
advisories | CVE-2016-3646
SHA-256 | 34b4ac0ff008d01486602041869fd3b2080584c09bba6351c3c21ccd2dc47d09
Symantec TNEF Decoder Integer Overflow
Posted Jun 29, 2016
Authored by Tavis Ormandy, Google Security Research

Symantec suffers from an integer overflow in the TNEF decoder.

tags | exploit, overflow
systems | linux
advisories | CVE-2016-3645
SHA-256 | ade0be4c94efeb64e7d34ea7456d064b5cda1c9f3ea14dd9429dca9736285693
Page 3 of 7
Back12345Next

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close