exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 100 RSS Feed

Files

Kaspersky Antivirus PE Unpacking Integer Overflow
Posted Oct 13, 2015
Authored by Tavis Ormandy, Google Security Research

Kaspersky Antivirus PE unpacking suffers from an integer overflow vulnerability.

tags | exploit, overflow
systems | linux
SHA-256 | 5f6ace8e01df0d4d69eed14c4bfebe35cffb18417251166f12d0d919112d59ea

Related Files

Kaspersky SSL Interception Differentiation
Posted Jan 3, 2017
Authored by Tavis Ormandy, Google Security Research

In order to inspect encrypted data streams using SSL/TLS, Kaspersky installs a WFP driver to intercept all outgoing HTTPS connections. They effectively proxy SSL connections, inserting their own certificate as a trusted authority in the system store and then replace all leaf certificates on-the-fly. This is why if you examine a certificate when using Kaspersky Antivirus, the issuer appears to be "Kaspersky Anti-Virus Personal Root". Kaspersky's certificate interception has previously resulted in serious vulnerabilities, but quick review finds many simple problems still exist. For example, the way leaf certificates are cached uses an extremely naive fingerprinting technique. Kaspersky cache recently generated certificates in memory in case the user agent initiates another connection. In order to do this, Kaspersky fetches the certificate chain and then checks if it's already generated a matching leaf certificate in the cache. If it has, it just grabs the existing certificate and private key and then reuses it for the new connection. The cache is a binary tree, and as new leaf certificates and keys are generated, they're inserted using the first 32 bits of MD5(serialNumber||issuer) as the key. If a match is found for a key, they just pull the previously generated certificate and key out of the binary tree and start using it to relay data to the user-agent. You don't have to be a cryptographer to understand a 32bit key is not enough to prevent brute-forcing a collision in seconds. In fact, producing a collision with any other certificate is trivial.

tags | exploit, web, root, vulnerability, virus
SHA-256 | 62a363de88e0143fb1b6e4fbc89e03980ce4d3bb71f50510388690356f2ef1c2
Kaspersky Antivirus RAR File Format Parsing Memory Corruption
Posted Nov 17, 2015
Authored by Tavis Ormandy, Google Security Research

Fuzzing the RAR file format found multiple crashes, some of which are obviously exploitable for remote code execution as NT AUTHORITY\\SYSTEM on any system with Kaspersky Antivirus.

tags | advisory, remote, code execution
systems | linux
SHA-256 | 840a6644fa6473e395e71ccc99acd288e2ea564ff3edbc779548159cd42980df
Kaspersky Antivirus ZIP File Format Use-After-Free
Posted Nov 17, 2015
Authored by Tavis Ormandy, Google Security Research

Fuzzing the ZIP file format found multiple memory corruption issues, some of which are obviously exploitable for remote code execution as NT AUTHORITY\SYSTEM on any system with Kaspersky Antivirus.

tags | exploit, remote, code execution
systems | linux
SHA-256 | fc8862117299fd338cb8bbf77d3ccb922e26861f2ef48f8fe569ea1fedea5e5b
Kaspersky Antivirus Multiple Memory Corruption Issues
Posted Nov 17, 2015
Authored by Tavis Ormandy, Google Security Research

Kaspersky Antivirus suffers from multiple memory corruption issues.

tags | advisory
systems | linux
SHA-256 | 40d39044a86196b76ab3036cb625cd7d59575c7d6b723cfe1570dbcc20ce34ff
Kaspersky Antivirus Yoda's Protector Unpacking Remote Memory Corruption
Posted Oct 13, 2015
Authored by Tavis Ormandy, Google Security Research

The attached testcase was found by fuzzing packed PE files with Kaspersky Antivirus. The researcher suspects it was packed using "Yoda's protector". This vulnerability is obviously exploitable for remote code execution as NT AUTHORITY\SYSTEM on all systems using Kaspersky Antivirus.

tags | exploit, remote, code execution
systems | linux
SHA-256 | 3c3dd5acd1e83e6d651af0ce396c0ce5a329d99348391da8dcc96d1f2d9db389
Kaspersky Antivirus UPX Parsing Remote Memory Corruption
Posted Oct 13, 2015
Authored by Tavis Ormandy, Google Security Research

While fuzzing UPX packed files in Kaspersky Antivirus, a crash was discovered resulting in an arbitrary stack-relative write. This vulnerability is obviously remotely exploitable for remote code execution as NT AUTHORITY\SYSTEM.

tags | exploit, remote, arbitrary, code execution
systems | linux
SHA-256 | 873dde06402e643e7c58d92fa1292dd7bd56e1ac4926fee21503ce6e92227045
Kaspersky Antivirus ExeCryptor Parsing Memory Corruption
Posted Oct 13, 2015
Authored by Tavis Ormandy, Google Security Research

Fuzzing packed executables in Kaspersky Antivirus found an ExeCryptor parsing memory corruption vulnerability.

tags | exploit
systems | linux
SHA-256 | 9b88cbe181953642219bc9f3faab09f2d8454bba6f6371edce30a211c49ef39b
Kaspersky Antivirus CHM Parsing Remote Stack Buffer Overflow
Posted Oct 13, 2015
Authored by Tavis Ormandy, Google Security Research

Fuzzing CHM files with Kaspersky Antivirus produced a crash due to a stack buffer overflow vulnerability.

tags | exploit, overflow
systems | linux
SHA-256 | 955d664811abe68cd1b11cbbbfdcc3b1d291028188d72a8d67f997305e27df5c
Kaspersky Antivirus VB6 Parsing Integer Overflow
Posted Oct 13, 2015
Authored by Tavis Ormandy, Google Security Research

Fuzzing Kaspersky Antivirus VB6 executables produced a crash triggered by an integer overflow vulnerability.

tags | exploit, overflow
systems | linux
SHA-256 | c9ddc4ae299fb2e602e6dc2f065c0d2feca2d3364b70f32ea4e4bdc6ca8d7666
Kaspersky Antivirus DEX File Format Parsing Memory Corruption
Posted Oct 13, 2015
Authored by Tavis Ormandy, Google Security Research

Fuzzing the DEX file format found a crash that loads a function pointer from an attacker controlled pointer, on Windows this results in a call to an unmapped address. This is obviously exploitable for remote, zero-interaction code execution as NT AUTHORITY\SYSTEM on any system with Kaspersky Antivirus.

tags | exploit, remote, code execution
systems | linux, windows
SHA-256 | 26951261beb7ff1122009b4bec4c8a0f4705fa105a3613ecb9448249512fe065
Kaspersky Antivirus ThinApp Parser Stack Buffer Overflow
Posted Oct 13, 2015
Authored by Tavis Ormandy, Google Security Research

The attached report and exploit were mailed to Kaspersky on 4th September 2015. The researcher is currently triaging about 230 more unique crashes. A remotely exploitable stack buffer overflow exists in the ThinApp container parsing. Kaspersky Antivirus and other products using the Kaspersky Engine (such as ZoneAlarm) are affected.

tags | exploit, overflow
systems | linux
SHA-256 | 5ca3b319ffad1c37c2dc2b79e408a60512af7b432dd0803fc5b707285145f8b8
QEMU Programmable Interrupt Timer Controller Heap Overflow
Posted Aug 28, 2015
Authored by Google Security Research, matttait

The programmable interrupt timer (PIT) controller in QEMU does not correctly validate the channel number when performing IO writes to the device controller, allowing both an information disclosure and a heap overflow within the context of the host.

tags | exploit, overflow, info disclosure
systems | linux
SHA-256 | 13f86bfcab19e0b4b4a2b31f5267866e4f2e1bf60fa810d064d79e7a787b0c07
Microsoft Office 2007 RTF XML SmartTags Use-After-Free
Posted Aug 25, 2015
Authored by Google Security Research, hawkes

Microsoft Office 2007 suffers from a RTF XML SmartTags use-after-free vulnerability.

tags | advisory
systems | linux
advisories | CVE-2015-1651
SHA-256 | 9112fd06f8a9594124ac555685a4c390b42d8b36cbf029a9deca63894f80b49e
Microsoft Office 2007 OneTableDocumentStream Invalid Object
Posted Aug 25, 2015
Authored by Google Security Research, hawkes

Microsoft Office 2007 suffers from a OneTableDocumentStream invalid object vulnerability.

tags | exploit
systems | linux
advisories | CVE-2015-0065
SHA-256 | 71aae25eeff40a890630b5def4b9a4c33395e8cd48b05b1af664a30be591e023
Microsoft Office 2007 Malformed Document Stack-Based Buffer Overflow
Posted Aug 25, 2015
Authored by Google Security Research, hawkes

Microsoft Office 2007 suffers from a stack-based buffer overflow vulnerability when handling a malformed document.

tags | exploit, overflow
systems | linux
advisories | CVE-2015-0064
SHA-256 | fc3f3a43acba1f2993d16df8be2f8af7217caf24ea88bc37b3ab71571b41e296
Security Flash Heap Use-After-Free In SurfaceFilterList::C​reateFromScriptAtom
Posted Aug 21, 2015
Authored by Google Security Research, bilou

Flash suffers from a use-after-free vulnerability in SurfaceFilterList::CreateFromScriptAtom.

tags | exploit
systems | linux
advisories | CVE-2015-5563
SHA-256 | f25272c8a1f372c28e643e729835debc9a97b7068e8da8e97a5a220acf1e5a89
Flash Bypass Of Length Vs. Cookie Validation
Posted Aug 21, 2015
Authored by Chris Evans, Google Security Research

Flash version 18.0.0.209 contains new mitigations to defend against corruptions of Vector.<uint> (and other) lengths. One of these mitigations, at Vector access time, compares the Vector's in-memory length with a representation of the same length XOR'ed with a secret cookie. The bypass comes about because the secret cookie value is stored inside a structure, and a pointer to that structure is stored alongside the Vector length.

tags | exploit
systems | linux
advisories | CVE-2015-5125
SHA-256 | fcdf12cd364c0ea733d2eac6b27e7d2f9f878fe5206bb8c75cbfc449ce599745
Flash AS2 Use After Free In TextField.filters
Posted Aug 21, 2015
Authored by Google Security Research, bilou

There is a use after free vulnerability in the ActionScript 2 TextField.filters array property.

tags | exploit
systems | linux
advisories | CVE-2015-5561
SHA-256 | 45e43f90ddcb052986798b06cfd1f46ebd1983e9b8561f2e5e9f429141da9e39
Adobe Flash Overflow In ID3 Tag Parsing
Posted Aug 21, 2015
Authored by Google Security Research, natashenka

If an mp3 file contains compressed ID3 data that is larger than 0x2aaaaaaa bytes, an integer overflow will occur in allocating the buffer to contain its converted string data, leading to a large copy into a small buffer. A sample fla, swf and mp3 are attached. Put id34.swf and tag.mp3 in the same folder to reproduce the issue. This issue only works on 64 bit platforms.

tags | exploit, overflow
systems | linux
advisories | CVE-2015-5560
SHA-256 | 35155caf981a1919c824478ec4353bf7b0386be80fed9f35592dd6d487b2c05c
Adobe Flash Shared Object Lacks Normal Check
Posted Aug 21, 2015
Authored by Google Security Research, natashenka

The Shared Object constructor does not check that the object it is provided is of type Object before setting it to be of type SharedObject. This can cause problems if another method (such as Sound.loadSound) calls into script between checking the input object type, and casting its native object.

tags | exploit
systems | linux
advisories | CVE-2015-5562
SHA-256 | 19f7464f744154d2d6dd211423377f3e324df119f1b2817fad6a0f7b4e6ae5f4
Microsoft Office 2007 MSPTLS Heap Index Integer Underflow
Posted Aug 21, 2015
Authored by Google Security Research, scvitti

A crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug also reproduced in Office 2010 running on Windows 7 x86.

tags | exploit, x86
systems | linux, windows
SHA-256 | 6730e4bcb74ff3ada116f87db7b421bf1d013003c83ef00b178f449904c4d335
Mozilla Maintenance Service Log File Overwrite Elevation Of Privilege
Posted Aug 21, 2015
Authored by Google Security Research, forshaw

The maintenance service creates a log file in a user writable location. It's possible to change the log file to a hardlink to another file to cause file corruption or elevation of privilege.

tags | exploit
systems | linux
advisories | CVE-2015-4481
SHA-256 | 9a1d92cce93d1ad86dd9eac6ec55a2b6aedcc3249f5d93fb13aea55da6b68ba6
Flash Heap-Based Buffer Overflow Due To Indexing Error When Loading FLV File
Posted Aug 21, 2015
Authored by Google Security Research, mjurczyk

Flash suffers from a heap-based buffer overflow due to an indexing error when loading FLV files.

tags | exploit, overflow
systems | linux
advisories | CVE-2015-5118
SHA-256 | 4673942893163cde81ade110d85287f3016da128ff399dfaf5a45be550ea11c7
Flash Heap-Based Buffer Overflow Loading FLV File With Nellymoser Audio Codec
Posted Aug 21, 2015
Authored by Google Security Research, mjurczyk

Flash suffers from a heap-based buffer overflow vulnerability.

tags | exploit, overflow
systems | linux
advisories | CVE-2015-4432
SHA-256 | 6dc90c34eaf395d7b5fc097c96fc3bbf1b826f568a8b16ab718447c06a8884a7
Microsoft Office 2007 Wwlib.dll FcPlcfFldMom Uninitialized Heap Usage
Posted Aug 21, 2015
Authored by Google Security Research, scvitti

A crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug also reproduced in Office 2010 running on Windows 7 x86. The crash is caused by a 1 bit delta from the original file at offset 0x31B.

tags | exploit, x86
systems | linux, windows
SHA-256 | 03f7aa286c6f7a41a1b151784a5669dfb726e0a84605f216c88584600f74d02f
Page 1 of 4
Back1234Next

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    25 Files
  • 16
    Aug 16th
    3 Files
  • 17
    Aug 17th
    6 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close