quick.links
recent.news
2010-09-14 - the slides from my recent (re-)presentation (with lots of extra bits) at SEC-T 2010, will soon be online! exploit code [...]
2009-12-18 - The slides from my recent presentation at CRESTCon 2009, the 'replacement' for CHECKCon, are now online! exploit code for the demonstrations [...]
:.home3.14159265..
a good home must be made, not bought.
More 0day Disk Encryption Driver Bugs @SEC-T 2010!
Posted on: 2010-09-14
the slides from my recent (re-)presentation (with lots of extra bits) at SEC-T 2010, will soon be online! exploit code for the demonstrations will (yet again) follow very soon!
recent.additions
- September 22-23
- NetIQ/Microfocus Performance Endpoint v5.1 - SIP Remote Denial of Service
[ endpoint-sip-dos.c ] - September 22-23
- NetIQ/Microfocus Performance Endpoint v5.1 - SIP Remote Heap Corruption
[ endpoint-sip-heap.c ] - July 27-23
- NetIQ/Microfocus Performance Endpoint v5.1 - remote root/SYSTEM
[ endpoint-pown.c - endpoint-pown-uni.c ] - April 23-21
- DblTek GoIP GSM Gateway backdoor remote root
[ goip-pown-v3.c - SecurityWeek ] - November 17-19
- ipsec-tools racoon isakmp-frag Remote Denial of Service
[ racoon-frag-dos.c - CVE-2016-10396 ] - October 01-19
- IBM/Trusteer Rapport macOS - Local Kernel ring0 overflow
[ rapport-smash.c - rapport-smash-v2.c - rapport-smash-v2.sh - Dark Reading - CVE-2018-1985 ] - September 13-18
- WebRoot SecureAnywhere macOS - Local Kernel Pointer Overwrite
[ securenowhere-write.c - ZDNet - The Register - CVE-2018-16962 ] - July 27-18
- Utimaco Safeware AG (Sophos) - SafeGuard PrivateDisk Local Kernel ring0 Code Execution
[ safeguard-pdisk-overflow.c - safeguard-pdisk-overflow-v2.c ] - July 24-18
- Oracle Solaris <= 11.3 AVS Local Kernel ring0 Code Execution
[ sdbc-testinit.c - sdbc-testinit-v2.c - ZDNet - The Register - ThreatPost -
Oracle Critical Patch Update Advisory - July 2018 - CVE-2018-2892 ] - July 23-18
- Silicon Graphics Inc (SGI) - IRIX - rpc.espd Remote File Read Vulnerability
[ irix-espd.c ] - April 13-15
- Apple Mac OS X < 10.9/10? Local Root Exploit
[ osx-irony-assist.m - Rootpipe (Wiki) ] - February 08-11
- DESLock+ <= 4.1.2 vdlptokn.sys Driver Local Kernel ring0 Code Execution
[ deslock-vdlptokn-v3.c ] - January 07-11
- Silicon Graphics Inc (SGI) - IRIX - Local Kernel Memory Disclosure/Denial of Service
[ irix-xlvattrget-dos.c ] - September 16-10
- Utimaco Safeware AG (Sophos) - SafeGuard PrivateDisk Local Kernel Device 'unmount' Exploit
[ safeguard-pdisk-unmount.c ] - September 16-10
- Utimaco Safeware AG (Sophos) - SafeGuard PrivateDisk Local Kernel Device header 'overwrite' Exploit
[ safeguard-pdisk-write-header.c ] - September 14-10
- SEC-T 2010: "Vulnerabilities in Full/Virtual Disk Encryption Products"
[ presentation (pdf) ] - May 26-10
- SecurStar DriveCrypt <= 5.4 Local Kernel ring0 Code Execution
[ drivecrypt-dcr.c - BID-45750 ] - May 26-10
- SecurStar DriveCrypt <= 5.4 Local Kernel Arbitrary File Read/Write Exploit
[ drivecrypt-fopen.c ] - April 26-10
- NovaSTOR NovaNet <= 12.0 Remote Memory Read/Denial of Service
[ novanet-read.c - BID-39693 ] - April 26-10
- NovaSTOR NovaNet <= 12.0 Remote Code Execution
[ novanet-own.c - novanet-own-lnx.c - CVE-2009-0849 - BID-39693 ] - April 26-10
- NovaSTOR NovaNet/NovaBACKUP Network <= 13.0 Remote Denial of Service
[ novanet-dos.c - BID-39693 ] - January 15-10
- is SafeCentral actually unsafe?
[ link ] - January 15-10
- Authentium SafeCentral <= 2.6 shdrv.sys Local Kernel Denial of Service/ring0 Code Execution
[ safecentral-unharden.c - BID-37939 ] - January 15-10
- Authentium SafeCentral <= 2.6 shdrv.sys Local Kernel ring0 Code Execution
[ safecentral-unharden-v2.c - BID-37939 ] - December 22-09
- CRESTCon 2009: "[Win32] Full/Virtual Disk Encryption Vulnerabilities"
[ presentation (pdf) ] - October 02-09
- VMware Fusion <= 2.0.5 vmx86 kext Local Kernel Denial of Service
[ vmware-pop.c - CVE-2009-3282 - BID-36579 ] - October 02-09
- VMware Fusion <= 2.0.5 vmx86 kext Local Kernel Root Exploit
[ vmware-fission.c - CVE-2009-3281 - BID-36578 ] - August 10-09
- DESLock+ <= 4.0.2 dlpcrypt.sys Driver Local Kernel Denial of Service
[ deslock-dlpcrypt-v2.c ] - August 10-09
- DESLock+ <= 4.0.3 vdlptokn.sys Driver Local Kernel ring0 Code Execution
[ deslock-vdlptokn.c ] - August 10-09
- DESLock+ <= 4.0.3 vdlptokn.sys Driver Local Kernel Denial of Service
[ deslock-vdlptokn-v2.c - CVE-2008-4362 ] - June 23-09
- DESLock+ ownage
[ link ] - June 23-09
- B-Labs Bopup Communication Server <= 3.2.26.5460 Remote Buffer Overflow
[ bopup-down.c - CVE-2009-2227 ] - June 18-09
- DESLock+ 4.0.2 dlpcrypt.sys Driver Local Kernel ring0 Code Execution
[ deslock-dlpcrypt.c - CVE-2009-4832 - BID-35432 ] - May 27-09
- The DESLock+ debacle
[ link ] - May 14-09
- Apple Mac OS X xnu <= 1228.x workqueue Index Validation Vulnerability
[ xnu-workq-v2-64.c - iDEFENSE-797 - Apple Mac OS X Security Update 2009-002 - CVE-2008-1517 - BID-34959 ] - May 13-09
- ipsec-tools racoon isakmp-frag Remote Denial of Service
[ racoon-isakmp-dos.c - CVE-2009-1574 - BID-34765 ] - May 02-09
- Sun Solaris 10/OpenSolaris <= snv_113 dtrace Local Kernel Denial of Service
[ solaris-dtrace-dos.c - CVE-2009-1478 - BID-34753 ] - May 02-09
- Sun Solaris 10/OpenSolaris <= snv_113 fasttrap Local Kernel Denial of Service
[ solaris-fasttrap-dos.c - CVE-2009-1478 - BID-34753 ] - April 19-09
- CanSec 2009: "Bug classes we have found in *BSD, OS X and Solaris kernels"
[ presentation (odp) - presentation (pdf) ] - March 30-09
- Apple Mac OS X xnu <= 1228.x hfs-fcntl Local Kernel Root Exploit
[ xnu-hfs-fcntl-v2.c - xnu-hfs-fcntl-v2.sh - CVE-2009-1235 - BID-34203 - informationweek.com -
Heise-Security ] - March 30-09
- Apple Mac OS X xnu <= 1228.x vfssysctl Local Kernel Denial of Service
[ xnu-vfssysctl-dos.c - CVE-2009-1238 - BID-34202 - informationweek.com - Heise-Security ] - March 30-09
- Apple Mac OS X xnu <= 1228.x profil Local Kernel Memory Leak/Denial of Service
[ xnu-profil-leak.c - CVE-2009-1237 - BID-34202 - informationweek.com - Heise-Security ] - March 30-09
- Apple Mac OS X xnu <= 1228.x macfsstat Local Kernel Memory Leak/Denial of Service
[ xnu-macfsstat-leak.c - CVE-2009-1237 - BID-34202 - informationweek.com - Heise-Security ] - March 30-09
- Apple Mac OS X xnu <= 1228.x appletalk zip-notify Remote Kernel Overflow
[ xnu-appletalk-zip.c - CVE-2009-1236 - BID-34201 - informationweek.com - Heise-Security ] - March 30-09
- FreeBSD >= 7.0 ktimer Local Kernel Root Exploit
[ bsd-ktimer.c - CVE-2009-1041 - BID-34196 - Heise-Security ] - February 26-09
- Apple Mac OS X xnu <= 1228.x get_ldt Local Kernel Memory Disclosure
[ xnu-get_ldt.c - CVE-2008-4218 ] - September 20-08
- DESLock+ <= 3.2.7 DLMFENC.sys Driver Local Kernel Vulnerabilities
[ deslock-overflow.c - deslock-probe-race.c - deslock-probe-read.c - CVE-2008-4363 - BID-31273 ] - September 02-08
- Anytime Algorithms for ROBDD Symmetry Detection and Approximation
[ thesis (pdf) ] - July 26-08
- equivset - an implementation of the equivalence approximation algorithm for ROBDDs
[ link ] - June 17-08
- Bit-Precise Reasoning with Affine Functions
[ paper (pdf) - link ] - June 17-08
- Deterministic Network Enhancer dne2000.sys Driver Local Kernel ring0 Code Execution
[ dne2000-call.c - CVE-2008-5121 - BID-29772 - CERT-858993 - Heise-Security ] - February 26-08
- Apple Mac OS X xnu <= 1228.3.13 ipv6-ipcomp Remote Kernel Denial of Service
[ xnu-ipv6-ipcomp.c - CVE-2008-0177 - BID-27642 - CERT-110947 - informationweek.com ] - February 18-08
- DESLock+ <= 3.2.6 DLMFENC.sys Driver Local Kernel ring0 Code Execution
[ deslock-list-zero.c - deslock-list-zero-v2.c - CVE-2008-1138 - CVE-2008-1139 - BID-27862 ] - February 18-08
- DESLock+ <= 3.2.6 DLMFDISK.sys Driver Local Kernel ring0 Code Execution
[ deslock-pown-v2.c - CVE-2008-1140 - BID-27862 ] - February 18-08
- DESLock+ <= 3.2.6 DLMFENC.sys Driver Local Kernel Memory Leak
[ deslock-list-leak.c - CVE-2008-1141 - BID-27862 ] - January 29-08
- SafeNET IPSecDrv.sys Driver Local Kernel ring0 Code Execution
[ safenet-ipsec-call.c - CVE-2008-0573 - BID-27496 ] - January 14-08
- Cisco Systems VPN Client IPSec Driver Local Kernel System Pool Corruption
[ cvpndrv-dos.c - CVE-2008-0324 - BID-27289 ] - December 12-07
- Apple Mac OS X xnu <= 1228.0 cs_validate_page Local Kernel Denial of Service
[ xnu-superblob-dos.c - CVE-2007-6359 - BID-26840 ] - December 05-07
- Apple Mac OS X xnu <= 1228.0 load_threadstack Local Kernel Denial of Service
[ xnu-macho-dos.c - CVE-2007-6261 - BID-26700 - Heise-Security ] - December 05-07
- Apple Mac OS X <= 10.5.1 vpnd Remote Denial of Service
[ vpnd-leopard-lb-dos.c - CVE-2007-6276 - BID-26699 - Heise-Security ] - October 16-07
- eXtremail <= 2.1.1 Multiple Remote Vulnerabilities
[ extremail-v3.pl - extremail-v4.c - extremail-v5.c - extremail-v6.c - extremail-v8.pl -
CVE-2007-5466 - CVE-2007-5467 - BID-26074 ] - September 25-07
- Linux Kernel ALSA snd_mem_proc_read Information Disclosure Vulnerability
[ iDEFENSE-600 - CVE-2007-4571 - BID-25807 ] - September 22-07
- bind9, all sweetness and light?
[ link - name.c-diff - dst_api.c-diff ] - September 20-07
- How easy is it to break "random" passwords?, musings on several example algorithms
[ link ] - August 30-07
- An Anytime Algorithm for Generalized Symmetry Detection in ROBDDs
[ paper (pdf) - link ] - August 07-07
- Apple Mac OS X mDNSResponder HTTP Request Heap Overflow
[ iDEFENSE-573 - Apple Mac OS X Security Update 2007-007 - CVE-2007-3744 - BID-25159 ] - July 17-07
- tcpdump <= 3.9.6 BGP Remote Integer Overflow
[ tcpdump-bgp.c - print-bgp.c-diff - CVE-2007-3798 - BID-24965 - Gentoo Bug #184815 -
Heise-Security ] - June 08-07
- SafeNET IPSecDrv.sys Remote ring0 Denial of Service
[ safenet-dos.c - CVE-2007-3157 - BID-24385 ] - April 27-07
- mydns 1.1.0 Remote Heap Overflow
[ mydns-rr-smash.c - mydns-update.c-diff - CVE-2007-2362 - BID-23694 - Gentoo Bug #176130 ] - April 20-07
- Synscan5 - the rewrite of the highly efficient asynchronous half-open TCP scanner
[ link ] - April 20-07
- eXtremail <= 2.1.1 Remote Buffer Overflow
[ extremail-v9.c - CVE-2007-2187 - BID-23577 ] - April 02-07
- 235-byte Raw-Socket ICMP/checksum Bindshell - (lnx/x86-32)
[ icmp-chk.asm ] - April 02-07
- 182-bytes Raw-Socket ICMP Bindshell - (lnx/x86-32)
[ icmp.asm ] - April 01-07
- 19-byte search&jump Springboard - (lnx/x86-32)
[ search.asm ] - April 01-07
- 50-byte search&jump-signal Springboard - (lnx/x86-32)
[ search-signal.asm ] - March 31-07
- dproxy-nexgen Remote Buffer Overflow
[ dproxy-v1.c - CVE-2007-1866 - BID-23243 ] - March 20-07
- Mercur SP4 5.00.14 Remote Buffer Overflow
[ mercur-v2.pl - CVE-2006-1255 - BID-17138 ] - March 20-07
- Mercur SP4 5.00.14 Remote Buffer Overflow
[ mercur-v1.pl - CVE-2007-1578 - BID-23058 ] - March 07-07
- Mercury IMAPD 4.01/(a,b) Remote Buffer Overflow
[ mercurypown-v1.pl - CVE-2007-1373 - SA24367 ] - March 02-07
- MailEnable <= v2.37 Remote Buffer Overflow
[ maildisable-v4.pl - mailenable_imap_append.pm - CVE-2007-1301 - BID-22792 ] - February 16-07
- MailEnable <= v2.35 Remote Buffer Overflow
[ maildisable-v6.pl - CVE-2006-6423 - SA23201 ] - February 16-07
- MailEnable <= v2.34 Remote Buffer Overflow
[ maildisable-v3.pl - SA23047 ] - February 14-07
- MailEnable <= v2.36 Remote Denial Of Service
[ maildisable-v5.pl - CVE-2007-0955 - SA24139 ] - February 14-07
- MailEnable <= v2.37 Remote Denial Of Service
[ maildisable-v7.pl - CVE-2007-0955 - SA24139 ] - February 07-07
- AXIGEN <= v2.0.0b1 Remote Denial Of Service
[ doaxigen.c - CVE-2007-0886 - BID-22473 ] - February 07-07
- AXIGEN <= v2.0.0b1 Remote Denial Of Service
[ doaxigen-v2.c - CVE-2007-0887 - BID-22473 ] - August 10-06
- Proof of New Decompositional Results for Generalized Symmetries
[ paper (ps) ] - March 20-06
- Widening ROBDDs with Prime Implicants
[ paper (ps) - paper (pdf) - presentation (pdf) - link ] - February 16-06
- Proof of New Implicational Relationships between Generalized Symmetries
[ paper (ps) ] - January 30-06
- An Anytime Symmetry Detection Algorithm for ROBDDs
[ paper (ps) - paper (pdf) - presentation (pdf) - link ]