Below is a summary of research I’ve published over the years.
As a long-time Linux user, my first public vulnerabilities were in various Linux userland programs. Initially my focus was on logic flaws in setuid-root applications, especially race conditions. Occasionally I turned to naive fuzzing and uncovered a few interesting memory corruption vulnerabilities as well.
I am the author of the fuzzdiff tool, a simple tool for fuzz case minimization.
| Software | CVE | Description |
|---|---|---|
| ecryptfs | CVE-2011-1834 | Denial of service (mtab corruption) |
| ecryptfs | CVE-2011-1833 | Race condition allowing information disclosure |
| ecryptfs | CVE-2011-1832 | Race condition allowing denial of service |
| ecryptfs | CVE-2011-1831 | Race condition allowing local privilege escalation (exploit) |
| AX25d | CVE-2011-2910 | Missing setuid check allowing remote root |
| VMWare (vmware-user-suid-helper) | CVE-2011-2145 | Privilege escalation |
| VMWare (mount.vmhgfs) | CVE-2011-1787 | Privilege escalation |
| VMWare (mount.vmhgfs) | CVE-2011-2146 | Information disclosure |
| Google Chrome (Linux sandbox) | CVE-2011-1444 | Race condition potentially allowing privilege escalation |
| open-vm-tools (vmware-hgfsmounter) | CVE-2011-1681 | Denial of service (mtab corruption) |
| ncpfs (ncpmount) | CVE-2011-1680 | Denial of service (stale mtab lockfile) |
| ncpfs (ncpmount, ncpumount) | CVE-2011-1679 | Denial of service (mtab corruption) |
| Samba (mount.cifs, umount.cifs) | CVE-2011-1678 | Denial of service (mtab corruption) |
| util-linux (mount) | CVE-2011-1677 | Denial of service (stale mtab lockfile) |
| util-linux (mount) | CVE-2011-1675 | Denial of service (mtab corruption) |
| glibc (addmntent) | CVE-2011-1089 | Denial of service (mtab corruption) |
| FFmpeg | CVE-2011-0723 | Stack overflow allowing arbitrary code execution |
| FFmpeg | CVE-2011-0722 | Heap corruption allowing arbitrary code execution |
| FFmpeg | CVE-2010-3908 | Heap corruption allowing arbitrary code execution |
| VLC | CVE-2011-0531 | Memory corruption allowing arbitrary code execution (exploit) |
| OpenOffice.org | CVE-2010-3451 | Use-after-free allowing arbitrary code execution |
| OpenOffice.org | CVE-2010-3453 | Out-of-bounds write allowing arbitrary code execution |
| OpenOffice.org | CVE-2010-3454 | Out-of-bounds write allowing arbitrary code execution |
| OpenOffice.org | CVE-2010-3452 | Use-after-free allowing arbitrary code execution |
| xpdf | CVE-2011-4654 | Integer overflow leading to a waste of time |
| xpdf | CVE-2011-4653 | Memory corruption allowing arbitrary code execution |
| VLC | CVE-2011-0021 | Heap corruption allowing arbitrary code execution |
| Pango | CVE-2011-0020 | Heap corruption allowing arbitrary code execution |
| VLC | CVE-2010-3907 | Out-of-bounds read allowing arbitrary code execution |
| VMWare | CVE-2010-4295 | Multiple race conditions allowing file overwrite or directory creation |
| Google Chrome | CVE-2010-4039 | Insecure shared library loading |
| ettercap-gtk | CVE-2010-3844 | Stack buffer overflow |
| ettercap-gtk | CVE-2010-3843 | Insecure temporary file usage |
| glibc (FORTIFY_SOURCE) | CVE-2010-3192 | Information disclosure |
| Apache CouchDB (Debian/Ubuntu) | CVE-2010-2953 | Insecure shared library loading |
| Lynx | CVE-2010-2810 | Heap overflow leading to arbitrary code execution |
| LibTIFF | CVE-2010-2067 | Stack overflow allowing arbitrary code execution |
| LibTIFF | CVE-2010-2481 | Out-of-bounds read allowing denial of service |
| pmount | CVE-2010-2192 | Symlink attack allowing unauthorized file creation/deletion |
| fastjar | CVE-2010-2322 | Absolute path traversal allowing arbitrary file overwrite |
| fastjar | CVE-2010-0831 | Directory traversal allowing arbitrary file overwrite |
| Exim | CVE-2010-2024 | Race condition allowing unauthorized file creation and file permission changes |
| Exim | CVE-2010-2023 | Hard-link attack allowing arbitrary non-root file overwrite |
| Ghostscript | CVE-2010-1628 | Memory corruption allowing arbitrary code execution |
| Ghostscript | CVE-2010-1869 | Stack overflow allowing arbitrary code execution |
| GNUstep (gdomap) | CVE-2010-1620 | Integer overflow allowing heap corruption |
| GNUstep (gdomap) | CVE-2010-1457 | Information disclosure |
| glibc (encode_name) | CVE-2010-0296 | Improper input sanitization |
| glibc (ld.so) | CVE-2010-0830 | Integer overflow allowing arbitrary code execution |
| dvipng | CVE-2010-0829 | Buffer overflow allowing arbitrary code execution |
| TeX Live (dvips) | CVE-2010-0827 | Integer overflow allowing arbitrary code execution |
| GNU nano | CVE-2010-1161 | Race condition allowing privilege escalation |
| GNU nano | CVE-2010-1160 | Race condition allowing arbitrary file overwrite |
| Emacs (movemail) | CVE-2010-0825 | Race condition allowing information disclosure |
| Deliver | CVE-2010-1123 | Insecure lockfile creation allowing denial of service |
| Deliver | CVE-2010-0439 | Race condition allowing privilege escalation, information disclosure, or denial of service |
| PolicyKit (pkexec) | CVE-2010-0750 | Information disclosure |
| PulseAudio | CVE-2009-1299 | Insecure temporary file creation allowing denial of service or information disclosure |
| ncpfs (ncpmount, ncpumount, ncplogin) | CVE-2010-0791 | Insecure lockfile allowing denial of service |
| ncpfs (ncpumount) | CVE-2010-0790 | Information disclosure |
| ncpfs (ncpmount, ncpumount, ncplogin) | CVE-2010-0788 | Race condition allowing privilege escalation |
| fcron (fcrontab) | CVE-2010-0792 | Race condition allowing information disclosure |
| vixie-cron, cronie (crontab) | CVE-2010-0424 | Race condition allowing denial of service |
| Samba (mount.cifs) | CVE-2010-0547 | Improper input validation allowing corruption of mountpoint options |
| FUSE (fusermount) | CVE-2010-0789 | Race condition allowing denial of service |
| LXR Cross Referencer | CVE-2010-1625 | Cross-site scripting |
| LXR Cross Referencer | CVE-2010-1448 | Cross-site scripting |
| LXR Cross Referencer | CVE-2009-4497 | Cross-site scripting |
| Transmission BitTorrent Client | CVE-2010-0012 | Directory traversal allowing arbitrary file overwrite |
In addition to publishing many vulnerabilities and exploitation techniques, I have contributed to efforts to harden the Linux kernel as the original author of the dmesg_restrict and kptr_restrict kernel features (both based on ideas and code from grsecurity).
Jon Oberheide and I gave a
presentation on exploitation techniques against Linux kernels hardened
with the grsecurity patchset. By leveraging the leakage of uninitialized
stack data in conjunction with an existing arbitrary kernel write
vulnerability, we demonstrated two techniques that could be used to
escalate privileges. This presentation was the first public discussion
of leveraging leakage of uninitialized kernel stack data as a practical
exploitation technique, as well as the first public usage of the
addr_limit technique to achieving a robust kernel
read/write primitive.
After studying every public example of remote kernel exploitation, I developed a fully working exploit for a remote kernel stack overflow in the Linux kernel’s implementation of the ROSE amateur radio protocol. The exploit installs a kernel backdoor in the victim host, allowing the attacker to send and trigger arbitrary userland payloads at will. The exploit targets 32-bit PAE kernels, requiring the use of return-oriented programming (ROP) in kernel mode.
The Linux kernel’s SLOB allocator is primarily used on embedded systems. I developed a series of new attacks against SLOB that may be used to exploit progressively more constrained vulnerabilities, ranging from an arbitrary heap overflow to an off-by-one NULL byte. I also released libplayground, a simple framework I used to develop and test these techniques.
| Software | CVE | Description |
|---|---|---|
| Linux kernel (xtensa) | CVE-2011-2707 | Arbitrary kernel read |
| Linux kernel (INET_DIAG) | CVE-2011-2213 | Infinite loop leading to denial of service (exploit) |
| Linux kernel (DEC Alpha) | CVE-2011-2211 | Arbitrary write allowing privilege escalation (exploit) |
| Linux kernel (DEC Alpha) | CVE-2011-2210 | Kernel memory disclosure |
| Linux kernel (DEC Alpha) | CVE-2011-2209 | Kernel memory disclosure |
| Linux kernel (DEC Alpha) | CVE-2011-2208 | Kernel memory disclosure |
| Linux kernel (dccp) | CVE-2011-1770 | Remote out-of-bounds read |
| Linux kernel (ARM OABI) | CVE-2011-1759 | Heap overflow allowing privilege escalation |
| Linux kernel (mpt2sas) | CVE-2011-1495 | Arbitrary kernel memory read |
| Linux kernel (mpt2sas) | CVE-2011-1494 | Heap overflow allowing privilege escalation |
| Linux kernel (ROSE) | CVE-2011-1493 | Remote heap overflow allowing arbitrary code execution |
| Linux kernel (OSS) | CVE-2011-1477 | Out-of-bounds write allowing privilege escalation |
| Linux kernel (OSS) | CVE-2011-1476 | Integer underflow leading to memory corruption |
| Linux kernel (IrDA) | CVE-2011-1180 | Remote stack overflow allowing arbitrary code execution |
| Linux kernel (AudioScience HPI) | CVE-2011-1169 | Heap corruption allowing privilege escalation |
| Linux kernel (XFS) | CVE-2011-0711 | Kernel stack memory disclosure |
| Linux kernel (btrfs) | CVE-2011-0699 | Heap overflow allowing privilege escalation |
| Linux kernel (OSS) | CVE-2010-4527 | Heap buffer overflow allowing privilege escalation |
| Linux kernel (IrDA) | CVE-2010-4529 | Heap memory disclosure |
| Linux kernel (RDS) | CVE-2010-4175 | Heap corruption |
| Linux kernel (X.25) | CVE-2010-4164 | Remote denial of service |
| Linux kernel (block layer) | CVE-2010-4163 | Denial of service |
| Linux kernel (block layer) | CVE-2010-4162 | Denial of service |
| Linux kernel (L2TP) | CVE-2010-4160 | Heap corruption |
| Linux kernel (socket filters) | CVE-2010-4161 | Deadlock leading to denial of service |
| Linux kernel (socket filters) | CVE-2010-4158 | Kernel stack memory disclosure (exploit) |
| Linux kernel (CAN) | CVE-2010-4565 | Information disclosure |
| Linux kernel (CAN) | CVE-2010-3874 | Heap overflow allowing absolutely nothing |
| Linux kernel (X.25) | CVE-2010-3873 | Remote heap overflow allowing denial of service |
| Linux kernel (TIPC) | CVE-2010-3859 | Heap overflow allowing privilege escalation |
| Linux kernel (RDS) | CVE-2010-3904 | Arbitrary kernel memory write allowing privilege escalation (exploit) |
| Linux kernel (SCTP) | CVE-2010-3705 | Memory corruption (remote) |
| Linux kernel (sound/core) | CVE-2010-3442 | Kernel heap corruption |
| Linux kernel (pktcdvd) | CVE-2010-3437 | Arbitrary kernel memory read or denial-of-service |
| Linux kernel (ROSE) | CVE-2010-3310 | Kernel heap corruption |
| Linux kernel (ipc semctl) | CVE-2010-4083 | Kernel stack memory disclosure |
| Linux kernel (drivers/video/via/ioctl.c) | CVE-2010-4082 | Kernel stack memory disclosure |
| Linux kernel (sound/pci/rme9652/hdspm.c) | CVE-2010-4081 | Kernel stack memory disclosure |
| Linux kernel (sound/pci/rme9652/hdsp.c) | CVE-2010-4080 | Kernel stack memory disclosure |
| Linux kernel (drivers/video/ivtv/ivtvfb.c) | CVE-2010-4079 | Kernel stack memory disclosure |
| Linux kernel (drivers/video/sis/sis_main.c) | CVE-2010-4078 | Kernel stack memory disclosure |
| Linux kernel (drivers/char/nozomi.c) | CVE-2010-4077 | Kernel stack memory disclosure |
| Linux kernel (drivers/char/amiserial.c) | CVE-2010-4076 | Kernel stack memory disclosure |
| Linux kernel (drivers/serial/serial_core.c) | CVE-2010-4075 | Kernel stack memory disclosure |
| Linux kernel (drivers/usb/serial/mos*.c) | CVE-2010-4074 | Kernel stack memory disclosure |
| Linux kernel (ipc compat) | CVE-2010-4073 | Kernel stack memory disclosure |
| Linux kernel (drivers/net/usb) | CVE-2010-3298 | Kernel stack memory disclosure |
| Linux kernel (drivers/net/eql) | CVE-2010-3297 | Kernel stack memory disclosure |
| Linux kernel (drivers/net/cxgb3) | CVE-2010-3296 | Kernel stack memory disclosure |
| Linux kernel (XFS) | CVE-2010-3078 | Kernel stack memory disclosure |
| Linux kernel (btrfs) | CVE-2010-2538 | Integer overflow leading to information disclosure |
| Linux kernel (btrfs) | CVE-2010-2537 | Insufficient permissions checking |
| Linux kernel (GFS2) | CVE-2010-2525 | Insufficient permissions checking allowing privilege escalation |
| Linux kernel (XFS) | CVE-2010-2226 | Insufficient permissions checking |
| Linux kernel (ext4) | CVE-2010-2066 | Insufficient permissions checking |
| Linux kernel (GFS2) | CVE-2010-1641 | Insufficient permissions checking |
| Linux kernel (btrfs) | CVE-2010-1636 | Information disclosure |
In addition to discovering these vulnerabilities, I occasionally write exploits for bugs discovered by other researchers, such as full-nelson.c for CVE-2010-3849, CVE-2010-3850, and CVE-2010-4258, or for fun bugs with low security impact, such as caps-to-root.c.
I published the first root exploits for a number of Android phones:
These exploits were all based on a class of vulnerabilities involving leveraging symlinks or other filesystem tricks to cause privileged processes to mistakenly change ownership, contents, or permissions on files or directories that could lead to privilege escalation.
I spoke about the security implications of rooting/modding:
I published an exploit for the Logitech Revue Google TV as part of a group:
In April 2013, I published motochopper, an exploit for
the previously undiscovered CVE-2013-2596
that achieved root access on essentially every Qualcomm and Tegra
Android device on the market.
In December 2011, the Internet and news media exploded over the discovery of Carrier IQ, a software framework integrated into millions of Android phones to gather analytics and performance data on behalf of carriers. I conducted an independent analysis of this software (blog), and was subsequently interviewed by and cited in major news publications around the world. I also developed a tool to unpack compressed Carrier IQ profiles (blog).
In April 2013, I published motopocalypse (blog), an exploit for permanently
unlocking the bootloader on Qualcomm-based Motorola devices by
leveraging a design flaw in the implementation of bootloader
locking.
In May 2013, I published loki (code, blog), a set of tools for installing unsigned
kernels and recovery partitions to a wide range of Samsung and LG
devices. Loki leveraged a previously undisclosed
vulnerability in aboot, the bootloader responsible for
loading the Linux kernel.
In August 2014, I published details of a vulnerability and exploit for QSEE, the implementation of TrustZone on Qualcomm devices, and demonstrated using this vulnerability to unlock the bootloader of the Motorola Droid X:
I occasionally poke around on other kernels or random targets including SCADA software, media players, or SOHO devices.
| Software | CVE | Description |
|---|---|---|
| RealNetworks RealPlayer | CVE-2012-0926 | Memory corruption leading to code execution |
| RealNetworks RealPlayer | CVE-2012-0925 | Memory corruption leading to code execution |
| FreeBSD and NetBSD kernels (802.11) | CVE-2011-2480 | Information disclosure |
| Ecava IntegraXor | CVE-2011-1562 | Authentication failure allowing remote code execution |
| Apple Mac OS X XNU kernel | CVE-2011-0180 | Information disclosure (exploit) |
| FreeBSD and Apple OS X crontab | CVE-2011-1075 | Information disclosure |
| FreeBSD and Apple OS X crontab | CVE-2011-1074 | Information disclosure |
| FreeBSD and Apple OS X crontab | CVE-2011-1073 | Information disclosure |
| FreeBSD and NetBSD kernels (Coda) | CVE-2010-3014 | Information disclosure |
| Apple Mac OS X XNU kernel (WebDAV kernel extension) | CVE-2010-1794 | Memory overallocation leading to denial of service |
| FreeBSD, NetBSD, and Apple Mac OS X XNU kernels (NetSMB kernel module) | CVE-2010-2530 | Memory overallocation leading to denial of service |
| Cisco DPC2100 Cable Modem | CVE-2010-2082 | Insecure default password |
| Cisco DPC2100 Cable Modem | CVE-2010-2026 | Insufficient authentication |
| Cisco DPC2100 Cable Modem | CVE-2010-2025 | Cross-site request forgery |