exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 101 - 125 of 167 RSS Feed

Files from Tavis Ormandy

Email addresstaviso at google.com
First Active2006-10-09
Last Active2022-12-06
AVG WebTune Hijacking
Posted Dec 29, 2015
Authored by Tavis Ormandy, Google Security Research

AVG's Web Tune extension maliciously works to bypass the Chrome malware checks and leaves broken JavaScript APIs available. The attached exploit steals cookies from avg.com.

tags | exploit, web, javascript
systems | linux
SHA-256 | bc6771c4f589518e2a4514e7c5963c7ac6e4f7a4abf44b90f9df910e567a4843
Avast Stack Buffer Overflow
Posted Dec 14, 2015
Authored by Tavis Ormandy, Google Security Research

Avast suffers from a stack buffer overflow where strncpy length is discarded.

tags | advisory, overflow
systems | linux
SHA-256 | 981421efbeda26558ee522287dc5c8002378d0c6e8c1dc43d8d74a5242e44a1c
Avast OOB Write Decrypting PEncrypt Packed Executables
Posted Dec 14, 2015
Authored by Tavis Ormandy, Google Security Research

The attached PEncrypt packed executable causes an OOB write on Avast Server Edition. The attached testcase has the password "infected" to avoid disrupting your mail server.

tags | exploit
systems | linux
SHA-256 | 1dc9821304f839db90568189d065d1bd7ea2eccbddbf7cf1e21c22686b6ddda4
Avast Heap Overflow Unpacking MoleBox Archives
Posted Dec 14, 2015
Authored by Tavis Ormandy, Google Security Research

Trivial fuzzing of molebox archives revealed a heap overflow decrypting the packed image in moleboxMaybeUnpack. This vulnerability is obviously exploitable for remote arbitrary code execution as NT AUTHORITY\SYSTEM.

tags | exploit, remote, overflow, arbitrary, code execution
systems | linux
SHA-256 | 9006764eb2a662f1500a7aa2992e20fb3ecac298b87aed2a54131e2f36307888
Avast JetDb::IsExploited4x Performs Unbounded Search On Input
Posted Dec 14, 2015
Authored by Tavis Ormandy, Google Security Research

The attached Microsoft Access Database causes JetDb::IsExploited4x to be called, which contains an unbounded search for objects.

tags | exploit
systems | linux
SHA-256 | 8da5165beab1e91ccd76caa05545423e4f4b91564417f8cdfde58748e1b71575
Rar CmdExtract::UnstoreFile Integer Truncation Memory Corruption
Posted Dec 14, 2015
Authored by Tavis Ormandy, Google Security Research

The attached file crashes in CmdExtract::UnstoreFile because the signed int64 DestUnpSize is truncated to an unsigned 32bit integer. Perhaps CmdExtract::ExtractCurrentFile should sanity check Arc.FileHead.UnpSize early. The researcher observed this crash in Avast Antivirus, but the origin of the code appears to be the unrar source distribution. Many other antiviruses may be affected, and presumably WinRAR and other archivers.

tags | exploit
systems | linux
SHA-256 | f997e4c151ea3e156d9094a7b24afa34f8a5710d3d6e665444df919da07dc43c
Avast Integer Overflow Verifying NumFonts In TTC Header
Posted Dec 14, 2015
Authored by Tavis Ormandy, Google Security Research

If the numFonts field in the TTC header is greater than (SIZE_MAX+1) / 4, an integer overflow occurs in filevirus_ttf() when calling CSafeGenFile::SafeLockBuffer.

tags | exploit, overflow
systems | linux
SHA-256 | f677bb58e1b1048a5746cfc026a361e68396925db1aa60baa097504025056cfd
Kaspersky Antivirus Virtual Keyboard GetGraphics() Path Traversal
Posted Dec 14, 2015
Authored by Tavis Ormandy, Google Security Research

Kaspersky Virtual Keyboard suffers from a path traversal vulnerability.

tags | exploit
systems | linux
SHA-256 | c6c95fb5482461d979dcaea9ccd55fe337bf44a3c13647033eef85646190e4cb
Kaspersky Antivirus RAR File Format Parsing Memory Corruption
Posted Nov 17, 2015
Authored by Tavis Ormandy, Google Security Research

Fuzzing the RAR file format found multiple crashes, some of which are obviously exploitable for remote code execution as NT AUTHORITY\\SYSTEM on any system with Kaspersky Antivirus.

tags | advisory, remote, code execution
systems | linux
SHA-256 | 840a6644fa6473e395e71ccc99acd288e2ea564ff3edbc779548159cd42980df
Kaspersky Antivirus Incorrect %PROGRAMDATA% ACL
Posted Nov 17, 2015
Authored by Tavis Ormandy, Google Security Research

The ACL on %PROGRAMDATA%\Kaspersky Lab allows BUILTIN\Users to create new files. This can be abused to create new plugins and modules during update, and other filesystem races to gain elevated privileges.

tags | advisory
systems | linux
SHA-256 | 5123890ee94b7febd160cd7bdcce88da33225fd6e226283bf65d0ea4999f84e3
Kaspersky Antivirus DEX File Format Memory Corruption
Posted Nov 17, 2015
Authored by Tavis Ormandy, Google Security Research

The attached testcase was found by fuzzing DEX files, and results in a heap overflow with a wild memcpy. Note that Kaspersky catch exceptions and continue execution, so running into unmapped pages doesn't terminate the process, this should make exploitation quite realistic.

tags | exploit, overflow
systems | linux
SHA-256 | 6751e071bf8dd3497577b29fbf7d097aa98be4740d9f645d2afa24cded401776
Kaspersky Antivirus Certificate Handling Path Traversal
Posted Nov 17, 2015
Authored by Tavis Ormandy, Google Security Research

When Kaspersky https inspection is enabled, temporary certificates are created in %PROGRAMDATA% for validation. The naming pattern for files is {CN}.cer and CN can be modified to perform path traversals.

tags | exploit, web
systems | linux
SHA-256 | ce9f7093bf60e3752e2176561753c43ff890d74e6e48bcae0af1b4f25757ad05
Kaspersky Antivirus ZIP File Format Use-After-Free
Posted Nov 17, 2015
Authored by Tavis Ormandy, Google Security Research

Fuzzing the ZIP file format found multiple memory corruption issues, some of which are obviously exploitable for remote code execution as NT AUTHORITY\SYSTEM on any system with Kaspersky Antivirus.

tags | exploit, remote, code execution
systems | linux
SHA-256 | fc8862117299fd338cb8bbf77d3ccb922e26861f2ef48f8fe569ea1fedea5e5b
Kaspersky Antivirus Multiple Memory Corruption Issues
Posted Nov 17, 2015
Authored by Tavis Ormandy, Google Security Research

Kaspersky Antivirus suffers from multiple memory corruption issues.

tags | advisory
systems | linux
SHA-256 | 40d39044a86196b76ab3036cb625cd7d59575c7d6b723cfe1570dbcc20ce34ff
ESET Emulation Command Execution
Posted Nov 13, 2015
Authored by Tavis Ormandy, Google Security Research

A vulnerability exists managing a shadow stack in ESET Antivirus. It allows complete remote root/SYSTEM command execution on all ESET platforms and products.

tags | exploit, remote, root
systems | linux
SHA-256 | 54e383e693089b91935fe984c9f900208e8ba9545096a2ebbf8cb88081990c3b
Avast Antivirus X.509 Error Rendering Command Execution
Posted Oct 13, 2015
Authored by Tavis Ormandy, Google Security Research

Avast will render the commonName of X.509 certificates into an HTMLLayout frame when your MITM proxy detects a bad signature.

tags | exploit
systems | linux
SHA-256 | f3141a360bdf7ee6e4a571e6ac07b4d6860453bfd2d2651ec97cfa7f9a2ae196
Kaspersky Antivirus Yoda's Protector Unpacking Remote Memory Corruption
Posted Oct 13, 2015
Authored by Tavis Ormandy, Google Security Research

The attached testcase was found by fuzzing packed PE files with Kaspersky Antivirus. The researcher suspects it was packed using "Yoda's protector". This vulnerability is obviously exploitable for remote code execution as NT AUTHORITY\SYSTEM on all systems using Kaspersky Antivirus.

tags | exploit, remote, code execution
systems | linux
SHA-256 | 3c3dd5acd1e83e6d651af0ce396c0ce5a329d99348391da8dcc96d1f2d9db389
Kaspersky Antivirus UPX Parsing Remote Memory Corruption
Posted Oct 13, 2015
Authored by Tavis Ormandy, Google Security Research

While fuzzing UPX packed files in Kaspersky Antivirus, a crash was discovered resulting in an arbitrary stack-relative write. This vulnerability is obviously remotely exploitable for remote code execution as NT AUTHORITY\SYSTEM.

tags | exploit, remote, arbitrary, code execution
systems | linux
SHA-256 | 873dde06402e643e7c58d92fa1292dd7bd56e1ac4926fee21503ce6e92227045
Kaspersky Antivirus PE Unpacking Integer Overflow
Posted Oct 13, 2015
Authored by Tavis Ormandy, Google Security Research

Kaspersky Antivirus PE unpacking suffers from an integer overflow vulnerability.

tags | exploit, overflow
systems | linux
SHA-256 | 5f6ace8e01df0d4d69eed14c4bfebe35cffb18417251166f12d0d919112d59ea
Kaspersky Antivirus ExeCryptor Parsing Memory Corruption
Posted Oct 13, 2015
Authored by Tavis Ormandy, Google Security Research

Fuzzing packed executables in Kaspersky Antivirus found an ExeCryptor parsing memory corruption vulnerability.

tags | exploit
systems | linux
SHA-256 | 9b88cbe181953642219bc9f3faab09f2d8454bba6f6371edce30a211c49ef39b
Kaspersky Antivirus CHM Parsing Remote Stack Buffer Overflow
Posted Oct 13, 2015
Authored by Tavis Ormandy, Google Security Research

Fuzzing CHM files with Kaspersky Antivirus produced a crash due to a stack buffer overflow vulnerability.

tags | exploit, overflow
systems | linux
SHA-256 | 955d664811abe68cd1b11cbbbfdcc3b1d291028188d72a8d67f997305e27df5c
Kaspersky Antivirus VB6 Parsing Integer Overflow
Posted Oct 13, 2015
Authored by Tavis Ormandy, Google Security Research

Fuzzing Kaspersky Antivirus VB6 executables produced a crash triggered by an integer overflow vulnerability.

tags | exploit, overflow
systems | linux
SHA-256 | c9ddc4ae299fb2e602e6dc2f065c0d2feca2d3364b70f32ea4e4bdc6ca8d7666
Kaspersky Antivirus DEX File Format Parsing Memory Corruption
Posted Oct 13, 2015
Authored by Tavis Ormandy, Google Security Research

Fuzzing the DEX file format found a crash that loads a function pointer from an attacker controlled pointer, on Windows this results in a call to an unmapped address. This is obviously exploitable for remote, zero-interaction code execution as NT AUTHORITY\SYSTEM on any system with Kaspersky Antivirus.

tags | exploit, remote, code execution
systems | linux, windows
SHA-256 | 26951261beb7ff1122009b4bec4c8a0f4705fa105a3613ecb9448249512fe065
Kaspersky Antivirus ThinApp Parser Stack Buffer Overflow
Posted Oct 13, 2015
Authored by Tavis Ormandy, Google Security Research

The attached report and exploit were mailed to Kaspersky on 4th September 2015. The researcher is currently triaging about 230 more unique crashes. A remotely exploitable stack buffer overflow exists in the ThinApp container parsing. Kaspersky Antivirus and other products using the Kaspersky Engine (such as ZoneAlarm) are affected.

tags | exploit, overflow
systems | linux
SHA-256 | 5ca3b319ffad1c37c2dc2b79e408a60512af7b432dd0803fc5b707285145f8b8
Kaspersky Internet Security Network Attack Blocker Design Flaw
Posted Oct 9, 2015
Authored by Tavis Ormandy, Google Security Research

A component of Kaspersky Internet Security that's enabled by default is called the "Network Attack Blocker", described as "protects the computer against dangerous network activity". This researcher examined the implementation, and determined that it's actually a simple stateless packet filter with a pattern-matching signature system.

tags | exploit
systems | linux
SHA-256 | c93a85cd6e072be949ef0e44b2c0a5defdb132a1bdc0a750a43a8beadfd92a25
Page 5 of 7
Back34567Next

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close