Skip to content

Exploits

These are some of the stand-alone exploits I wrote:1

OpenSSL alternative certificate chain validation logic error (a.k.a. Alternative Chains Certificate Forgery) MITM proxy/exploit


The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate.

rcvalle_accforgery.rb

Oracle Java JSSE incomplete internal state distinction (a.k.a. SKIP-TLS) MITM proxy/exploit


Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit 27.8.4 and 28.3.4 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE.

rcvalle_skiptls.rb

OpenSSL TLS heartbeat extension information disclosure (a.k.a. Heartbleed) exploit


The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

rcvalle_heartbleed.rb

Linux sock_sendpage() NULL pointer dereference exploit for Linux POWER/PowerPC x86 (3)


The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.

linux-sendpage3.tar.gz · View on LWN.net

Linux sock_sendpage() NULL pointer dereference exploit for Linux POWER/PowerPC x86 (2)


The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.

linux-sendpage2.tar.gz · View on LWN.net

Linux sock_sendpage() NULL pointer dereference exploit for Linux POWER/PowerPC x86


The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.

linux-sendpage.c · View on LWN.net

X11R6 XKEYBOARD extension Strcmp() stack-based buffer overflow exploit for Sun Solaris 8 9 10 x86


Buffer overflow in the Strcmp function in the XKEYBOARD extension in X Window System X11R6.4 and earlier, as used in SCO UnixWare 7.1.3 and Sun Solaris 8 through 10, allows local users to gain privileges via a long _XKB_CHARSET environment variable value.

sol-x86-xkb.c

X11R6 XKEYBOARD extension Strcmp() stack-based buffer overflow exploit for Sun Solaris 8 9 10 SPARC


Buffer overflow in the Strcmp function in the XKEYBOARD extension in X Window System X11R6.4 and earlier, as used in SCO UnixWare 7.1.3 and Sun Solaris 8 through 10, allows local users to gain privileges via a long _XKB_CHARSET environment variable value.

sol-sparc-xkb.c

X11R6 XKEYBOARD extension Strcmp() stack-based buffer overflow exploit for SCO UnixWare 7.1.3 x86


Buffer overflow in the Strcmp function in the XKEYBOARD extension in X Window System X11R6.4 and earlier, as used in SCO UnixWare 7.1.3 and Sun Solaris 8 through 10, allows local users to gain privileges via a long _XKB_CHARSET environment variable value.

sco-x86-xkb.c


  1. See also the Metasploit exploit modules and other exploits I developed.