Skip to content

Exploits

These are some of the exploits I wrote:

OpenSSL Alternative Chains Certificate Forgery MITM Proxy


The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate.

openssl_altchainsforgery_mitm_proxy.rb

OpenSSL Alternative Certificate Chain Validation Logic Error (a.k.a. Alternative Chains Certificate Forgery) MITM Proxy/Exploit


The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate.

rcvalle_accforgery.rb

Java Secure Socket Extension (JSSE) SKIP-TLS MITM Proxy


Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit 27.8.4 and 28.3.4 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE.

jsse_skiptls_mitm_proxy.rb

Oracle Java JSSE Incomplete Internal State Distinction (a.k.a. SKIP-TLS) MITM Proxy/Exploit


Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit 27.8.4 and 28.3.4 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE.

rcvalle_skiptls.rb

DHCP Client Bash Environment Variable Code Injection (Shellshock)


GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

dhclient_bash_env.rb

OpenSSL TLS Heartbeat Extension Information Disclosure (a.k.a. Heartbleed) Exploit


The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

rcvalle_heartbleed.rb

Katello (Red Hat Satellite) users/update_roles Missing Authorization


The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.

katello_satellite_priv_esc.rb

Red Hat CloudForms Management Engine 5.1 agent/linuxpkgs Path Traversal


Multiple directory traversal vulnerabilities in the AgentController in Red Hat CloudForms Management Engine 2.0 allow remote attackers to create and overwrite arbitrary files via a .. (dot dot) in the filename parameter to the (1) log, (2) upload, or (3) linuxpkgs method.

cfme_manageiq_evm_upload_exec.rb

Red Hat CloudForms Management Engine 5.1 miq_policy/explorer SQL Injection


SQL injection vulnerability in the miq_policy controller in Red Hat CloudForms 2.0 Management Engine (CFME) 5.1 and ManageIQ Enterprise Virtualization Manager 5.0 and earlier allows remote authenticated users to execute arbitrary SQL commands via the profile[] parameter in an explorer action.

cfme_manageiq_evm_pass_reset.rb

Foreman (Red Hat OpenStack/Satellite) users/create Mass Assignment


The create method in app/controllers/users_controller.rb in Foreman before 1.2.0-RC2 allows remote authenticated users with permissions to create or edit other users to gain privileges by (1) changing the admin flag or (2) assigning an arbitrary role.

foreman_openstack_satellite_priv_esc.rb

Foreman (Red Hat OpenStack/Satellite) bookmarks/create Code Injection


Eval injection vulnerability in the create method in the Bookmarks controller in Foreman before 1.2.0-RC2 allows remote authenticated users with permissions to create bookmarks to execute arbitrary code via a controller name attribute.

foreman_openstack_satellite_code_exec.rb

Linux sock_sendpage() NULL Pointer Dereference Exploit for Linux POWER/PowerPC x86 (3)


The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.

linux-sendpage3.tar.gz · View on LWN.net

Linux sock_sendpage() NULL Pointer Dereference Exploit for Linux POWER/PowerPC x86 (2)


The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.

linux-sendpage2.tar.gz · View on LWN.net

Linux sock_sendpage() NULL Pointer Dereference Exploit for Linux POWER/PowerPC x86


The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.

linux-sendpage.c · View on LWN.net

ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)


Stack-based buffer overflow in the _tt_internal_realpath function in the ToolTalk library (libtt.a) in IBM AIX 5.2.0, 5.3.0, 5.3.7 through 5.3.10, and 6.1.0 through 6.1.3, when the rpc.ttdbserver daemon is enabled in /etc/inetd.conf, allows remote attackers to execute arbitrary code via a long XDR-encoded ASCII string to remote procedure 15.

rpc_ttdbserverd_realpath.rb

Samba lsa_io_trans_names Heap Overflow (Linux)


Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2 (lsa_io_trans_names).

lsa_transnames_heap_linux.rb

Sun Solaris sadmind adm_build_path() Buffer Overflow


Stack-based buffer overflow in the adm_build_path function in sadmind in Sun Solstice AdminSuite on Solaris 8 and 9 allows remote attackers to execute arbitrary code via a crafted request.

sadmind_adm_build_path.rb

Borland InterBase INET_connect() Buffer Overflow


Multiple stack-based buffer overflows in Borland InterBase LI 8.0.0.53 through 8.1.0.253, and WI 5.1.1.680 through 8.1.0.257, allow remote attackers to execute arbitrary code via (1) a long service attach request on TCP port 3050 to the (a) SVC_attach or (b) INET_connect function, (2) a long create request on TCP port 3050 to the (c) isc_create_database or (d) jrd8_create_database function, (3) a long attach request on TCP port 3050 to the (e) isc_attach_database or (f) PWD_db_aliased function, or unspecified vectors involving the (4) jrd8_attach_database or (5) expand_filename2 function.

ib_inet_connect.rb

Borland InterBase jrd8_create_database() Buffer Overflow


This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.

ib_jrd8_create_database.rb

Borland InterBase open_marker_file() Buffer Overflow


Stack-based buffer overflow in Borland InterBase LI 8.0.0.53 through 8.1.0.253 on Linux, and possibly unspecified versions on Solaris, allows remote attackers to execute arbitrary code via a long attach request on TCP port 3050 to the open_marker_file function.

ib_open_marker_file.rb

Borland InterBase PWD_db_aliased() Buffer Overflow


This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted attach request.

ib_pwd_db_aliased.rb

Firebird Relational Database isc_attach_database() Buffer Overflow


This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.

fb_isc_attach_database.rb

Firebird Relational Database isc_create_database() Buffer Overflow


This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.

fb_isc_create_database.rb

Firebird Relational Database SVC_attach() Buffer Overflow


This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted service attach request.

fb_svc_attach.rb

Borland InterBase isc_attach_database() Buffer Overflow


This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted attach request.

ib_isc_attach_database.rb

Borland InterBase isc_create_database() Buffer Overflow


This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.

ib_isc_create_database.rb

Borland InterBase SVC_attach() Buffer Overflow


This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted service attach request.

ib_svc_attach.rb

Samba lsa_io_trans_names Heap Overflow (Solaris)


This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21-3.0.24. Additionally, this module will not work when the Samba "log level" parameter is higher than "2".

lsa_transnames_heap_solaris.rb

Samba lsa_io_trans_names Heap Overflow (OSX)


This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the szone_free() to overwrite the size() or free() pointer in initial_malloc_zones structure.

lsa_transnames_heap_osx.rb

X11R6 XKEYBOARD Extension Strcmp() Stack-based Buffer Overflow Exploit for SCO UnixWare 7.1.3 x86


Buffer overflow in the Strcmp function in the XKEYBOARD extension in X Window System X11R6.4 and earlier, as used in SCO UnixWare 7.1.3 and Sun Solaris 8 through 10, allows local users to gain privileges via a long _XKB_CHARSET environment variable value.

sco-x86-xkb.c

X11R6 XKEYBOARD Extension Strcmp() Stack-based Buffer Overflow Exploit for Solaris 8 9 10 SPARC


Buffer overflow in the Strcmp function in the XKEYBOARD extension in X Window System X11R6.4 and earlier, as used in SCO UnixWare 7.1.3 and Sun Solaris 8 through 10, allows local users to gain privileges via a long _XKB_CHARSET environment variable value.

sol-sparc-xkb.c

X11R6 XKEYBOARD Extension Strcmp() Stack-based Buffer Overflow Exploit for Solaris 8 9 10 x86


Buffer overflow in the Strcmp function in the XKEYBOARD extension in X Window System X11R6.4 and earlier, as used in SCO UnixWare 7.1.3 and Sun Solaris 8 through 10, allows local users to gain privileges via a long _XKB_CHARSET environment variable value.

sol-x86-xkb.c