exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 76 - 100 of 167 RSS Feed

Files from Tavis Ormandy

Email addresstaviso at google.com
First Active2006-10-09
Last Active2022-12-06
Symantec MIME Message Modification Heap Overflow
Posted Jun 29, 2016
Authored by Tavis Ormandy, Google Security Research

Symantec attempts to clean or remove components from archives or other multipart containers that they detect as malicious. The code that they use to remove components from MIME encoded messages in CMIMEParser::UpdateHeader() assumes that filenames cannot be longer than 77 characters. This assumption is obviously incorrect, names can be any length, resulting in a very clean heap overflow.

tags | exploit, overflow
systems | linux
advisories | CVE-2016-3644
SHA-256 | 4ee204b77a45094748b81a74a8091d2a517ab376bd6d2bf0dafe5788af13c366
Symantec Antivirus MSPACK Unpacking Memory Corruption
Posted Jun 29, 2016
Authored by Tavis Ormandy, Google Security Research

Symantec Antivirus suffers from multiple remote memory corruption issues when unpacking MSPACK archives.

tags | exploit, remote
systems | linux
advisories | CVE-2016-2211
SHA-256 | e9d8e37d67b1b78a70b6ba1087bb9ad488f89ea7270258280a0c162de1eee2f1
Symantec dec2lha Remote Stack Buffer Overflow
Posted Jun 29, 2016
Authored by Tavis Ormandy, Google Security Research

The Symantec dec2lha library is the library responsible for decompressing LZH and LHA archives. The CSymLHA::get_header() routine has a trivial stack buffer overflow.

tags | exploit, overflow
systems | linux
advisories | CVE-2016-2210
SHA-256 | 7a45122b3424d74bb5da649ff1caa2ecb47dc7b5c6a0d4f9cfd4d9d854735409
Symantec Antivirus RAR Unpacking Memory Corruption
Posted Jun 29, 2016
Authored by Tavis Ormandy, Google Security Research

Symantec Antivirus version 5.3.11 suffers from multiple remote memory corruption vulnerabilities when unpacking RAR files.

tags | exploit, remote, vulnerability
systems | linux
advisories | CVE-2016-2207
SHA-256 | 9e44f967c750c035ba888192a2e531afb42978c1fb75803ba25499dfcaae8bc4
Symantec / Norton Antivirus Memory Corruption
Posted May 17, 2016
Authored by Tavis Ormandy, Google Security Research

Symantec / Norton Antivirus suffers from a remote ring0 memory corruption vulnerability.

tags | exploit, remote
systems | windows
SHA-256 | 21cdf1867131c9fd3d343f392430fc0eb800cce0626266748dac5dd7851a01d4
TrendMicro CoreServiceShell.exe HTTP Problems
Posted May 13, 2016
Authored by Tavis Ormandy, Google Security Research

TrendMicro suffers from multiple HTTP problems in CoreServiceShell.exe.

tags | advisory, web
systems | linux
SHA-256 | 66cb00c146f952cc997388b5ddb1c0039e197d650c1e6a388b719ebecf1ec16f
McAfee Relocation Processing Memory Corruption
Posted May 3, 2016
Authored by Tavis Ormandy, Google Security Research

Fuzzing packed executables with McAfee's LiveSafe version 14.0 on Windows found a signedness error parsing sections and relocations.

tags | exploit
systems | linux, windows
SHA-256 | df3a3c638fb803483492e5595745c6b207dc5378a2e3150bc4c2f7d4306afa97
TrendMicro Remote Debugger Stub Listening
Posted Mar 29, 2016
Authored by Tavis Ormandy, Google Security Research

There is a remote debugger stub listening by default on a new install of TrendMicro Antivirus that can be exploited to launch executables.

tags | exploit, remote
systems | linux
SHA-256 | 191c3b9d20b797c02c3aeb399b9f99fed1f18221adf47c360e14714b35343f0c
FireEye Malware Input Processor Privilege Escalation
Posted Mar 25, 2016
Authored by Tavis Ormandy, Google Security Research

The mip user is already quite privileged, capable of accessing sensitive network data. However, as the child process has supplementary gid contents, there is a very simple privilege escalation to root.

tags | exploit, root
systems | linux
SHA-256 | 5b5d78147822a04ece55e3ad4dc78e4634f5ee4ab840d7ead31f0b0e6099d778
Comodo Antivirus Forwards Emulated API Calls To Real API
Posted Mar 23, 2016
Authored by Tavis Ormandy, Google Security Research

Comodo Antivirus includes a x86 emulator that is used to unpack and monitor obfuscated executables, this is common practice among antivirus products. The idea is that emulators can run the code safely for a short time, giving the sample enough time to unpack itself or do something that can be profiled. Needless to say, this is a very significant and complicated attack surface, as an attacker can trigger emulation simply by sending the victim an email or getting them to visit a website with zero user interaction. Multiple memory corruption issues have been found with the emulator.

tags | exploit, x86
systems | linux
SHA-256 | cfbf0dd1caad664a8a36d0e11f52ccba899cbf069cf799a34ef08893acaf37b2
Comodo Antivirus PackMan Unpacker Insufficient Parameter Validation
Posted Mar 23, 2016
Authored by Tavis Ormandy, Google Security Research

Packman is an obscure opensource executable packer that Comodo Antivirus attempts to unpack during scanning. If the compression method is set to algorithm 1, compression parameters are read directly from the input executable without validation. Fuzzing this unpacker revealed a variety of crashes due to this, such as causing pointer arithmetic in CAEPACKManUnpack::DoUnpack_With_NormalPack to move pksDeCodeBuffer.ptr to an arbitrary address, which allows an attacker to free() an arbitrary pointer. This issue is obviously exploitable to execute code as NT AUTHORITY\SYSTEM.

tags | exploit, arbitrary
systems | linux
SHA-256 | adf1b7ee75650e302c810380b477450604f08412c70d3784267cfd3c982dd3ea
Comodo Antivirus LZMA Decoder Heap Overflow
Posted Mar 23, 2016
Authored by Tavis Ormandy, Google Security Research

The Comodo Antivirus LZMA decoder performs insufficient parameter checks, resulting in a heap overflow vulnerability.

tags | exploit, overflow
systems | linux
SHA-256 | 80e8644d174a99b1386292c6a83033e7044613fa936d4b5dfafeec8f9086d5f4
Comodo Antivirus Composite Document Parsing Heap Overflow
Posted Mar 23, 2016
Authored by Tavis Ormandy, Google Security Research

In COleMemFile::LoadDiFatList, values from the header are used to parse the document FAT. If header.csectDif is very high, the calculation overflows and a very small buffer is allocated. The document FAT is then memcpy'd onto the buffer directly from the input file being scanned, resulting in a nice clean heap overflow. This vulnerability is obviously exploitable for remote code execution as NT AUTHORITY\SYSTEM, the attached test cases should reproduce the problem reliably (this issue was found using trivial fuzzing). You can see this testcase has this->m_oleDocHeader.csectDif = 0x40000001, and so this->m_oleDocHeader.csectDif * this->diFATPerSect * 4 + 436 wraps to 0x3b0.

tags | exploit, remote, overflow, code execution
systems | linux
SHA-256 | 0d8944589584ffd6f19521f74f3b05e3ba9308f6e066d7502ae4420ba2f83b4c
Comodo Antivirus PSUBUSB Stack Buffer Overflow
Posted Mar 23, 2016
Authored by Tavis Ormandy, Google Security Research

Comodo Antivirus includes a full x86 emulator that is used to unpack executables that are being scanned. Files read from disk or received over the network, including email, browser cache and so on can all trigger emulation. The emulator itself uses a sequence of nested lookup tables to translate opcodes to the routines that emulate them. The xmm/ymm registers are used like a union in C. For example, the registers can be treated as 4 floats, 2 doubles, 2 dwords, 8 shorts and so on - whatever is appropriate. The comodo emulator uses a union to represent these registers, and then each emulated instruction uses whichever union member matches it's function. For example, PUNPCKLBW would use regs->words, PSRLQ would use regs->qwords and so on. The code for PSUBUSB incorrectly uses the wrong union member (words instead of bytes), meaning it will clobber double the space allocated by CPU::MMX_OPCODE(). The fix for this vulnerability is to use the bytes member of the union instead.

tags | advisory, x86
systems | linux
SHA-256 | 65a2860985334c929241500c3eec6733661c6d157ba7ce5980acbe5b0395bc08
Comodo Antivirus Win32 Emulation Integer / Heap Overflow
Posted Mar 23, 2016
Authored by Tavis Ormandy, Google Security Research

A major component of Comodo Antivirus is the x86 emulator, which includes a number of shims for win32 API routines so that common API calls work in emulated programs (CreateFile, LoadLibrary, etc). The emulator itself is located in MACH32.DLL, which is compiled without /DYNAMICBASE, and runs as NT AUTHORITY\SYSTEM. These API routines access memory from the emulated virtual machine, perform the requested operation, and then poke the result back into the emulator. Because these emulated routines are all native code, they must take care not to trust values extracted from the emulator, which is running attacker controlled code. Browsing through the list of emulated routines, MSVBVM60!rtcLowerCaseVar jumped out as an obvious case of integer overflow due to trusting attacker-provided parameters.

tags | exploit, overflow, x86
systems | linux, windows
SHA-256 | 8d147c54c65aab4d2452bd4eb9517303915856455def848dcb10b51b25e3f9d5
Comodo Antivirus LZX Decompression Heap Overflow
Posted Mar 23, 2016
Authored by Tavis Ormandy, Google Security Research

Lzx_Decoder::init() initializes the vector Lzx_Decoder->window to a fixed size of 2^method bytes, which is then used during Lzx_Decoder::Extract(). It's possible for LZX compressed streams to exceed this size. Writes to the window buffer are bounds checked, but only after the write is completed.

tags | exploit
systems | linux
SHA-256 | 839695e6d83e2e3da8e7895210ee30106fa6966de6fc5fbd59853d59883fab72
Avira PE Section Header Parsing Heap Underflow
Posted Mar 19, 2016
Authored by Tavis Ormandy, Google Security Research

Avira suffers from a heap underflow vulnerability when parsing PE section headers.

tags | exploit
systems | linux
SHA-256 | ea61070846baddcbb28d0f5d8e2027b479bd9eb7b9a66c93cc181a9f30a48ac3
Avast Authenticode Parsing Memory Corruption
Posted Mar 5, 2016
Authored by Tavis Ormandy, Google Security Research

This archive includes a PE file that causes memory corruption in Avast and it looks related to authenticode parsing.

tags | exploit
systems | linux
SHA-256 | d27ccfd40a77226d4c5585eba95e9e09a9305de20bb80289d319a5fdf9d9225d
ESET NOD32 Heap Overflow
Posted Mar 4, 2016
Authored by Tavis Ormandy, Google Security Research

ESET NOD32 is affected by a heap overflow vulnerability while unpacking EPOC installation files. By creating a file record with type SIS_FILE_MULTILANG (meaning a different file is provided for every supported language), and then claiming to support a very large number of languages, a 16-bit calculation overflows. This leads to a nice clean heap overflow.

tags | exploit, overflow
systems | linux
SHA-256 | 2ddb32b00ad827a94327941703ae9b58ae4291fd5a72a65024a689e350a62ff5
Comodo Internet Security VNC Server Exposure
Posted Feb 18, 2016
Authored by Tavis Ormandy, Google Security Research

Comodo Internet Security installs GeekBuddy which installs a weakly secure exposed VNC server.

tags | exploit
systems | linux
advisories | CVE-2014-7872
SHA-256 | 3d2e073c1d6d171f88727d9420abce1904c883acad79c0452fffab5ce7a41451
Comodo Chromodo Browser Disable Same Origin Policy
Posted Feb 7, 2016
Authored by Tavis Ormandy, Google Security Research

When you install Comodo Internet Security, by default a new browser called Chromodo is installed and set as the default browser. Additionally, all shortcuts are replaced with Chromodo links and all settings, cookies, etc are imported from Chrome. They also hijack DNS settings, among other shady practices.

tags | exploit
systems | linux
SHA-256 | bdbaab613e70202de64329e92a0aa11a5a23b6198f82463ba4715fdd151dcb53
Avast File Read
Posted Feb 7, 2016
Authored by Tavis Ormandy, Google Security Research

This one is complicated, but allows an attacker to read any file on the filesystem by clicking a link. You don't even have to know the name or path of the file, because you can also retrieve directory listings using this attack. Additionally, you can send arbitrary authenticated HTTP requests, and read the responses. This allows an attacker to read cookies, email, interact with online banking and so on.

tags | exploit, web, arbitrary
systems | linux
SHA-256 | 4bad7ddfedceb6f7b409d84aac5aa90382f66d898044ad874bda143180fe3992
MalwareBytes Insecure Signing
Posted Feb 7, 2016
Authored by Tavis Ormandy, Google Security Research

MalwareBytes fetches their signature updates over HTTP, permitting a man in the middle attack.

tags | advisory, web
systems | linux
SHA-256 | 3db7f35f2173b8f4b93e582cd2e3ad38fac889bb0120b08617db5d68d39ac26b
Avast Sandbox/Autosandbox Message Filtering Vulnerable To MS13-005
Posted Jan 21, 2016
Authored by Tavis Ormandy, Google Security Research

Avast Sandbox/Autosandbox message filtering suffers from a flaw that allows for privilege escalation.

tags | exploit
systems | linux
SHA-256 | 11123d8f04f7157f84cdc92816ac901eeb5aa4e1ff0b49448154baf59b27196c
TrendMicro Node.js HTTP Server Command Execution
Posted Jan 12, 2016
Authored by Tavis Ormandy, Google Security Research

When you install TrendMicro Antivirus on Windows, by default a component called Password Manager is also installed and automatically launched on startup. This product is primarily written in JavaScript with node.js, and opens multiple HTTP RPC ports for handling API requests. It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute().

tags | exploit, web, arbitrary, javascript
systems | linux, windows
SHA-256 | 53073638c8c75e9a351656a4dcd7d53e7dbf2acdea0e8d44f29494b8f842d950
Page 4 of 7
Back23456Next

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close