It's Bugs All the Way Down

Security Research by Dan Rosenberg

In addition to my work at Azimuth Security, I find vulnerabilities in third-party software. Here are some vulnerabilities I have published:

Software CVE Description
ecryptfs CVE-2011-1834 Denial of service (mtab corruption)
ecryptfs CVE-2011-1833 Race condition allowing information disclosure
ecryptfs CVE-2011-1832 Race condition allowing denial of service
ecryptfs CVE-2011-1831 Race condition allowing local privilege escalation
AX25d CVE-2011-2910 Missing setuid check allowing remote root
Linux kernel (xtensa) CVE-2011-2707 Arbitrary kernel read
FreeBSD and NetBSD kernels (802.11) CVE-2011-2480 Information disclosure
Linux kernel (INET_DIAG) CVE-2011-2213 Infinite loop leading to denial of service
Linux kernel (DEC Alpha) CVE-2011-2211 Arbitrary write allowing privilege escalation
Linux kernel (DEC Alpha) CVE-2011-2210 Kernel memory disclosure
Linux kernel (DEC Alpha) CVE-2011-2209 Kernel memory disclosure
Linux kernel (DEC Alpha) CVE-2011-2208 Kernel memory disclosure
VMWare (vmware-user-suid-helper) CVE-2011-2145 Privilege escalation
VMWare (mount.vmhgfs) CVE-2011-1787 Privilege escalation
VMWare (mount.vmhgfs) CVE-2011-2146 Information disclosure
Linux kernel (dccp) CVE-2011-1770 Remote out-of-bounds read
Linux kernel (ARM OABI) CVE-2011-1759 Heap overflow allowing privilege escalation
Google Chrome (Linux sandbox) CVE-2011-1444 Race condition potentially allowing privilege escalation
Linux kernel (mpt2sas) CVE-2011-1495 Arbitrary kernel memory read
Linux kernel (mpt2sas) CVE-2011-1494 Heap overflow allowing privilege escalation
Linux kernel (ROSE) CVE-2011-1493 Remote heap overflow allowing arbitrary code execution
Linux kernel (OSS) CVE-2011-1477 Out-of-bounds write allowing privilege escalation
Linux kernel (OSS) CVE-2011-1476 Integer underflow leading to memory corruption
Ecava IntegraXor CVE-2011-1562 Authentication failure allowing remote code execution
Linux kernel (IrDA) CVE-2011-1180 Remote stack overflow allowing arbitrary code execution
Apple Mac OS X XNU kernel CVE-2011-0180 Information disclosure
Linux kernel (AudioScience HPI) CVE-2011-1169 Heap corruption allowing privilege escalation
open-vm-tools (vmware-hgfsmounter) CVE-2011-1681 Denial of service (mtab corruption)
ncpfs (ncpmount) CVE-2011-1680 Denial of service (stale mtab lockfile)
ncpfs (ncpmount, ncpumount) CVE-2011-1679 Denial of service (mtab corruption)
Samba (mount.cifs, umount.cifs) CVE-2011-1678 Denial of service (mtab corruption)
util-linux (mount) CVE-2011-1677 Denial of service (stale mtab lockfile)
util-linux (mount) CVE-2011-1675 Denial of service (mtab corruption)
glibc (addmntent) CVE-2011-1089 Denial of service (mtab corruption)
FreeBSD and Apple OS X crontab CVE-2011-1075 Information disclosure
FreeBSD and Apple OS X crontab CVE-2011-1074 Information disclosure
FreeBSD and Apple OS X crontab CVE-2011-1073 Information disclosure
Linux kernel (XFS) CVE-2011-0711 Kernel stack memory disclosure
Linux kernel (btrfs) CVE-2011-0699 Heap overflow allowing privilege escalation
FFmpeg CVE-2011-0723 Stack overflow allowing arbitrary code execution
FFmpeg CVE-2011-0722 Heap corruption allowing arbitrary code execution
FFmpeg CVE-2010-3908 Heap corruption allowing arbitrary code execution
VLC CVE-2011-0531 Memory corruption allowing arbitrary code execution
OpenOffice.org CVE-2010-3451 Use-after-free allowing arbitrary code execution
OpenOffice.org CVE-2010-3453 Out-of-bounds write allowing arbitrary code execution
OpenOffice.org CVE-2010-3454 Out-of-bounds write allowing arbitrary code execution
OpenOffice.org CVE-2010-3452 Use-after-free allowing arbitrary code execution
xpdf CVE-2011-4654 Integer overflow leading to a waste of time
xpdf CVE-2011-4653 Memory corruption allowing arbitrary code execution
VLC CVE-2011-0021 Heap corruption allowing arbitrary code execution
Pango CVE-2011-0020 Heap corruption allowing arbitrary code execution
VLC CVE-2010-3907 Out-of-bounds read allowing arbitrary code execution
Linux kernel (OSS) CVE-2010-4527 Heap buffer overflow allowing privilege escalation
Linux kernel (IrDA) CVE-2010-4529 Heap memory disclosure
VMWare CVE-2010-4295 Multiple race conditions allowing file overwrite or directory creation
Linux kernel (RDS) CVE-2010-4175 Heap corruption
Linux kernel (X.25) CVE-2010-4164 Remote denial of service
Linux kernel (block layer) CVE-2010-4163 Denial of service
Linux kernel (block layer) CVE-2010-4162 Denial of service
Linux kernel (L2TP) CVE-2010-4160 Heap corruption
Linux kernel (socket filters) CVE-2010-4161 Deadlock leading to denial of service
Linux kernel (socket filters) CVE-2010-4158 Kernel stack memory disclosure
Linux kernel (CAN) CVE-2010-4565 Information disclosure
Linux kernel (CAN) CVE-2010-3874 Heap overflow allowing absolutely nothing
Linux kernel (X.25) CVE-2010-3873 Remote heap overflow allowing denial of service
Linux kernel (TIPC) CVE-2010-3859 Heap overflow allowing privilege escalation
Linux kernel (RDS) CVE-2010-3904 Arbitrary kernel memory write allowing privilege escalation
Google Chrome CVE-2010-4039 Insecure shared library loading
ettercap-gtk CVE-2010-3844 Stack buffer overflow
ettercap-gtk CVE-2010-3843 Insecure temporary file usage
Linux kernel (SCTP) CVE-2010-3705 Memory corruption (remote)
Linux kernel (sound/core) CVE-2010-3442 Kernel heap corruption
Linux kernel (pktcdvd) CVE-2010-3437 Arbitrary kernel memory read or denial-of-service
Linux kernel (ROSE) CVE-2010-3310 Kernel heap corruption
Linux kernel (ipc semctl) CVE-2010-4083 Kernel stack memory disclosure
Linux kernel (drivers/video/via/ioctl.c) CVE-2010-4082 Kernel stack memory disclosure
Linux kernel (sound/pci/rme9652/hdspm.c) CVE-2010-4081 Kernel stack memory disclosure
Linux kernel (sound/pci/rme9652/hdsp.c) CVE-2010-4080 Kernel stack memory disclosure
Linux kernel (drivers/video/ivtv/ivtvfb.c) CVE-2010-4079 Kernel stack memory disclosure
Linux kernel (drivers/video/sis/sis_main.c) CVE-2010-4078 Kernel stack memory disclosure
Linux kernel (drivers/char/nozomi.c) CVE-2010-4077 Kernel stack memory disclosure
Linux kernel (drivers/char/amiserial.c) CVE-2010-4076 Kernel stack memory disclosure
Linux kernel (drivers/serial/serial_core.c) CVE-2010-4075 Kernel stack memory disclosure
Linux kernel (drivers/usb/serial/mos*.c) CVE-2010-4074 Kernel stack memory disclosure
Linux kernel (ipc compat) CVE-2010-4073 Kernel stack memory disclosure
Linux kernel (drivers/net/usb) CVE-2010-3298 Kernel stack memory disclosure
Linux kernel (drivers/net/eql) CVE-2010-3297 Kernel stack memory disclosure
Linux kernel (drivers/net/cxgb3) CVE-2010-3296 Kernel stack memory disclosure
Linux kernel (XFS) CVE-2010-3078 Kernel stack memory disclosure
glibc (FORTIFY_SOURCE) CVE-2010-3192 Information disclosure
Apache CouchDB (Debian/Ubuntu) CVE-2010-2953 Insecure shared library loading
FreeBSD and NetBSD kernels (Coda) CVE-2010-3014 Information disclosure
Lynx CVE-2010-2810 Heap overflow leading to arbitrary code execution
Apple Mac OS X XNU kernel (WebDAV kernel extension) CVE-2010-1794 Memory overallocation leading to denial of service
Linux kernel (btrfs) CVE-2010-2538 Integer overflow leading to information disclosure
Linux kernel (btrfs) CVE-2010-2537 Insufficient permissions checking
FreeBSD, NetBSD, and Apple Mac OS X XNU kernels (NetSMB kernel module) CVE-2010-2530 Memory overallocation leading to denial of service
Linux kernel (GFS2) CVE-2010-2525 Insufficient permissions checking allowing privilege escalation
LibTIFF CVE-2010-2067 Stack overflow allowing arbitrary code execution
LibTIFF CVE-2010-2481 Out-of-bounds read allowing denial of service
pmount CVE-2010-2192 Symlink attack allowing unauthorized file creation/deletion
Linux kernel (XFS) CVE-2010-2226 Insufficient permissions checking
Linux kernel (ext4) CVE-2010-2066 Insufficient permissions checking
fastjar CVE-2010-2322 Absolute path traversal allowing arbitrary file overwrite
fastjar CVE-2010-0831 Directory traversal allowing arbitrary file overwrite
Exim CVE-2010-2024 Race condition allowing unauthorized file creation and file permission changes
Exim CVE-2010-2023 Hard-link attack allowing arbitrary non-root file overwrite
Linux kernel (GFS2) CVE-2010-1641 Insufficient permissions checking
Cisco DPC2100 Cable Modem CVE-2010-2082 Insecure default password
Cisco DPC2100 Cable Modem CVE-2010-2026 Insufficient authentication
Cisco DPC2100 Cable Modem CVE-2010-2025 Cross-site request forgery
Linux kernel (btrfs) CVE-2010-1636 Information disclosure
Ghostscript CVE-2010-1628 Memory corruption allowing arbitrary code execution
Ghostscript CVE-2010-1869 Stack overflow allowing arbitrary code execution
GNUstep (gdomap) CVE-2010-1620 Integer overflow allowing heap corruption
GNUstep (gdomap) CVE-2010-1457 Information disclosure
glibc (encode_name) CVE-2010-0296 Improper input sanitization
glibc (ld.so) CVE-2010-0830 Integer overflow allowing arbitrary code execution
dvipng CVE-2010-0829 Buffer overflow allowing arbitrary code execution
TeX Live (dvips) CVE-2010-0827 Integer overflow allowing arbitrary code execution
GNU nano CVE-2010-1161 Race condition allowing privilege escalation
GNU nano CVE-2010-1160 Race condition allowing arbitrary file overwrite
Emacs (movemail) CVE-2010-0825 Race condition allowing information disclosure
Deliver CVE-2010-1123 Insecure lockfile creation allowing denial of service
Deliver CVE-2010-0439 Race condition allowing privilege escalation, information disclosure, or denial of service
PolicyKit (pkexec) CVE-2010-0750 Information disclosure
PulseAudio CVE-2009-1299 Insecure temporary file creation allowing denial of service or information disclosure
ncpfs (ncpmount, ncpumount, ncplogin) CVE-2010-0791 Insecure lockfile allowing denial of service
ncpfs (ncpumount) CVE-2010-0790 Information disclosure
ncpfs (ncpmount, ncpumount, ncplogin) CVE-2010-0788 Race condition allowing privilege escalation
fcron (fcrontab) CVE-2010-0792 Race condition allowing information disclosure
vixie-cron, cronie (crontab) CVE-2010-0424 Race condition allowing denial of service
Samba (mount.cifs) CVE-2010-0547 Improper input validation allowing corruption of mountpoint options
FUSE (fusermount) CVE-2010-0789 Race condition allowing denial of service
LXR Cross Referencer CVE-2010-1625 Cross-site scripting
LXR Cross Referencer CVE-2010-1448 Cross-site scripting
LXR Cross Referencer CVE-2009-4497 Cross-site scripting
Transmission BitTorrent Client CVE-2010-0012 Directory traversal allowing arbitrary file overwrite