Security Research

A Quick Note

Over the course of the last decade or so, I discovered and reported dozens of security bugs in popular software packages. By necessity, the list below contains just a subset of those; multiple security reports had never gotten a CVE number assigned to them for various reasons.

I generally focus on low-level application security, and that covers projects like: the Linux kernel, various input parsing libraries (images, PDF, media, etc.), web browsers, system services, and Internet network services. The most frequent tool I use to discover software flaws is Honggfuzz.

Trivia

In 2016, I was nominated for a Pwnie Award for publishing a flaw in AMD CPUs. The flaw enabled unprivileged users of a VM to execute code at the host's CPU ring0. The Register published a short article on how the bug was discovered.

Again, in 2017 I was nominated for the same Pwnie Award for finding a vulnerability in the OpenSSL suite (pre-auth) which potentially allowed for remote code execution.

Vulnerability Disclosures

• Memory OOB read (remote DoS) in OpenSSL CVE-2017-3731
• Memory OOB read (remote DoS) in OpenSSL CVE-2016-7054
• Memory Use-after-Free (potential remote RCE) in OpenSSL CVE-2016-6309
• Pre-auth crash (privsep) in OpenSSH Git commit
• AMD CPUs microcode privilege escalation (guest VM to host ring0) The Register • Debian
• Avast for Linux heap corruption TYA-410-45475
• Memory OOB read (remote DoS) in OpenSSL CVE-2015-1789 • OpenSSL sec-adv
• Adobe Flash memory corruption CVE-2015-0316
• Multiple RCE problems in IDA Pro HexRays
• Linux kernel local privilege escalation, plus an Oops CVE-2014-7826 • CVE-2014-7825
• Multiple flaws in the Linux kernel CVE-2011-2184 • CVE-2011-1593 • CVE-2011-2496
• Multiple bugs in the Freetype library CVE-2010-2497 • CVE-2010-2498 • CVE-2010-2499 • CVE-2010-2500 • CVE-2010-2519 • CVE-2010-2520 • CVE-2010-2527
• Universal XSS in Apple Safari 3.1 CVE-2008-1025 • Apple's advisory
• Universal XSS in Apple Safari 3.0.4 CVE-2008-1002 • Apple's advisory
• Linux kernel local privilege escalation exploit Bugtraq
• Konqueror 3.5 address bar spoofing CVE-2007-4224 • CVE-2007-4225 • Bugtraq • Bugtraq • Secunia
• Opera 9 data: URI address bar spoofing CVE-2007-3819 • Opera
• Konqueror 3.5 "data:" URI address bar spoofing CVE-2007-3820
• Apple Safari 3.0.2 beta for Windows IDN spoofing Bugtraq
• Apple Safari 3.0.1 beta for Windows URL bar spoofing CVE-2007-2398 • Bugtraq
• Apple Safari 3.0 beta for Windows arbitrary cookie leak CVE-2007-2391 • Bugtraq
• Linux kernel 2.6.20 DCCP Memory Disclosure Vulnerability CVE-2007-1734 • FrSIRT • Bugtraq