Over the past two decades I have discovered, analysed, and coordinated the responsible disclosure of a large number of software and protocol vulnerabilities, spanning web browsers, antivirus and security products, enterprise appliances, and core internet protocols. The below is my documentation of that :
Contents
Heavy Hitters - Remote Code Execution and Protocol-Level Flaws
| Year | Vendor / Product | Vulnerability | Type | Severity | CVE / BID | Advisory |
|---|---|---|---|---|---|---|
| 2009 | Apple - WebKit (Safari < 4.0 desktop, iPhone OS 1.0-2.2.1, iPod touch 1.1-2.2.1) | Uninitialised pointer in CSS attr() handling with large numeric argument (reported 26 Mar 2009, coordinated release 8 Jun 2009). Two paired advisories: iPhone (HT3639) and desktop Safari 4.0 (HT3613) |
Remote code execution | Critical | CVE-2009-1698 BID35318 GSEC-TZO-45-2009 |
g-sec.lu, ZDI |
| 2008 | Microsoft - Internet Explorer 5.01 SP4 / 6 / 7 | HTML Objects Memory Corruption (uninitialised memory access) | Remote code execution | Critical (MS08-058) | CVE-2008-3476 BID31618 |
MS08-058 (Microsoft), SecurityFocus BID31618 |
| 2009 | Sun / Oracle - Java VM (JVM 6 Update 1 & 2) | Java Virtual Machine memory-corruption flaw | Remote code execution | High | BID34667 TZO-12-2009 |
blog.zoller.lu |
| 2007 | Citrix - SSL-VPN (Access Gateway) | Pre-authentication remote code execution / information disclosure | Remote code execution (pre-auth) | High | CVE-2006-6573 | kb.cert.org |
| 2006 | F-Secure - Anti-Virus (ZIP / RAR engine) | Archive-parser flaw enabling code execution | Remote code execution | Highly critical | CVE-2006-0338 | f-secure.com |
| 2009 | CA (Computer Associates) - Anti-Virus Engine, arclib component | Malformed RAR archive causes heap corruption, allowing remote code execution | Remote code execution (heap corruption) | Medium | CVE-2009-3587 BID36653 |
broadcom.com |
| 2009 | CA (Computer Associates) - Anti-Virus Engine, arclib component | Malformed RAR archive causes stack corruption (DoS) | Stack corruption / DoS | Medium | CVE-2009-3588 | broadcom.com |
| 2009 | Cross-platform - IE 5-8, Firefox, Safari, Opera, Chrome, Konqueror, SeaMonkey, Netscape; iPhone/iPod, Android G1, BlackBerry, Nokia, Siemens, Nintendo Wii, Sony PS3 | "One bug to rule them all" - single select.length call with a large integer exhausts memory across nearly every JavaScript-capable browser/device |
Denial of service (memory exhaustion; null-ptr deref to OS reboot) | Cross-platform | CVE-2009-1692 (Apple/WebKit) CVE-2009-2537 (Konqueror) CVE-2009-2538 (Nokia/Symbian) CVE-2009-2539 (Microsoft IE 5-8) CVE-2009-2540 (Opera) GSEC-TZO-44-2009 |
g-sec.lu |
| 2009 | Microsoft - IIS 5.1 / 6.0 WebDAV | Remote authentication bypass via unicode/path handling (discovered and publicly disclosed by Nikolaos Rangos; my contribution was the independent technical analysis and detection tooling, cited by US-CERT TA09-160A and the Nmap http-iis-webdav-vuln script) |
Authentication bypass (analysis / tooling) | High | CVE-2009-1535 | blog.zoller.lu |
| 2009 | TLS / SSLv3 protocol (all implementations) | Renegotiation plaintext-injection (protocol design flaw) - canonical practitioner whitepaper + PoC | Man-in-the-middle / plaintext injection | High (industry-wide) | CVE-2009-3555 | Whitepaper (g-sec.lu) |
| 2010 | VMware - Workstation 7.0 (< 7.0.1 build 227600) / Player 3.0 (< 3.0.1 build 227600), Windows | USB service loads a Trojan executable from an unspecified host path | Local privilege escalation | Medium (CVSS 2.0: 6.9) | CVE-2010-1140 BID39397 |
VMSA-2010-0007 |
| 2008 | JSCAPE - Secure FTP Applet / SSH (<= 4.8.0; fixed 4.9.0) | SSH host key not verified or displayed on connect, enabling man-in-the-middle (login/password/data extraction); reported 2006, released 2008 | Man-in-the-middle | High (CVSS 2.0: 7.5) | CVE-2008-5124 BID29882 |
SecurityFocus |
| 2013 | WatchGuard - XTM / XTMv (Fireware <= 11.7.4) | Stack buffer overflow in WGagent parsing oversized cookie sessionid on web mgmt interface (TCP/8080); unauthenticated RCE |
Remote code execution (pre-auth) | Critical (CVSS 2.0: 9.3) | CVE-2013-6021 | kb.cert.org |
| 2013 | WatchGuard - WSM / Fireware (< 11.8) WebCenter | Multiple reflected cross-site scripting in WebCenter management UI | Cross-site scripting | Medium | CVE-2013-6022 | kb.cert.org |
| 2013 | Symantec - Endpoint Protection Manager (SEPM 12.1.x < 12.1.3) / Protection Center (SPC 12.0.x SBE) | Buffer overflow in secars.dll management console; unauthenticated remote code execution |
Remote code execution (pre-auth) | High | CVE-2013-1612 BID60542 |
Symantec advisory |
| 2013 | McAfee - ePolicy Orchestrator (ePO < 4.5.7, 4.6.x < 4.6.6) | Pre-auth SQL injection in Agent-Handler over Agent-Server channel (chains to RCE) | SQL injection (pre-auth) | High | CVE-2013-0140 BID59500 |
kb.cert.org |
| 2013 | McAfee - ePolicy Orchestrator (ePO < 4.5.7, 4.6.x < 4.6.6) | Pre-auth directory traversal / arbitrary file upload over Agent-Server channel (chains to RCE) | Path traversal / file upload (pre-auth) | High | CVE-2013-0141 BID59505 |
kb.cert.org |
Antivirus / Security-Product Evasion and Bypass
Part of the "Death of AV Defense in Depth?" research programme (Hack.lu 2007, CanSecWest 2008). Most evasion-class findings were not assigned CVEs by vendors.
| Year | Vendor / Product | Vulnerability | Type | CVE / BID | Advisory |
|---|---|---|---|---|---|
| 2006 | F-Secure | Anti-Virus bypass | Detection bypass | CVE-2006-0337 | CVE-2006-0337 |
| 2005 | F-Prot | Antivirus bypass (ZIP) | Detection bypass | CVE-2005-3499 BID15293 TZO-01-2005 |
secdev.zoller.lu, INCIBE |
| 2008 | F-Secure | CAB / RAR evasion | Detection bypass | n/a | f-secure.com |
| 2007 | F-Secure | Scan bypass via crafted LHA / RAR archive header fields | Detection bypass | n/a | f-secure.com |
| 2009 | CA (Computer Associates) - Anti-Virus Engine | Multiple detection-evasion flaws (malformed archives) - remote attacker evades detection | Detection bypass | CVE-2009-0042 BID33464 |
blog.zoller.lu |
| 2009 | ClamAV (< 0.95) | Generic evasion / bypass (malformed archive) | Detection bypass | CVE-2009-1241 BID34344 TZO-05-2009 |
blog.zoller.lu |
| 2009 | ClamAV (< 0.95.2) | Generic evasion (RAR / ZIP / CAB) - engine cannot extract while end-user can | Detection bypass | TZO-40-2009 | blog.zoller.lu |
| 2009 | ClamAV (< 0.95.2) | Generic evasion (CAB) | Detection bypass | TZO-43-2009 | blog.zoller.lu |
| 2009 | Avira AntiVir | Generic evasion (RAR / CAB / ZIP) | Detection bypass | TZO-28-2009 | blog.zoller.lu |
| 2009 | Kaspersky | Generic evasion (PDF) - forced disclosure after silent fix that did not work | Detection bypass | n/a | seclists.org |
| 2009 | Ikarus | Multiple generic evasions (CAB / ZIP / RAR) - patched after engine 1.1.58 | Detection bypass | TZO-31-2009 | blog.zoller.lu |
| 2009 | Norman | Generic evasion (RAR) | Detection bypass | TZO-32-2009 | blog.zoller.lu |
| 2009 | F-Prot (Frisk) | Generic evasion (TAR) - to be fixed in engine 4.5.0 | Detection bypass | TZO-33-2009 | blog.zoller.lu |
| 2009 | F-Prot (Frisk) | Generic evasion (RAR / ARJ / LHA) | Detection bypass | TZO-34-2009 | blog.zoller.lu |
| 2009 | IBM Proventia | Generic evasion (limited disclosure) | Detection bypass | TZO-06-2009 | blog.zoller.lu |
| 2009 | F-Prot | ZIP method-field evasion | Detection bypass | CVE-2005-3499 BID15293 TZO-07-2009 |
blog.zoller.lu |
| 2009 | Bitdefender | Generic evasion (limited disclosure) | Detection bypass | BID34580 | SecurityFocus |
| 2009 | Avast! | Generic evasion (limited disclosure) | Detection bypass | BID34578 TZO-09-2009 |
blog.zoller.lu |
| 2009 | ESET NOD32 | Generic evasion (limited disclosure) | Detection bypass | BID34764 TZO-10-2009 |
blog.zoller.lu |
| 2009 | Fortinet | Generic evasion (limited disclosure) | Detection bypass | BID34583 TZO-11-2009 |
blog.zoller.lu |
| 2009 | Avira AntiVir | ZIP evasion | Detection bypass | BID34723 TZO-13-2009 |
blog.zoller.lu |
| 2009 | Comodo | RAR evasion | Detection bypass | BID34737 TZO-14-2009 |
blog.zoller.lu |
| 2009 | Aladdin eSafe | Generic evasion / bypass | Detection bypass | BID34726 TZO-15-2009 |
blog.zoller.lu |
| 2009 | ESET NOD32 | CAB bypass / evasion | Detection bypass | BID34764 TZO-16-2009 |
blog.zoller.lu |
| 2009 | Trend Micro | RAR / ZIP / CAB evasion (no patch) | Detection bypass | BID34763 TZO-17-2009 |
blog.zoller.lu |
| 2009 | McAfee | RAR / ZIP multiple evasions | Detection bypass | CVE-2009-1348 BID34780 TZO-18-2009 |
blog.zoller.lu |
| 2009 | AVG | ZIP bypass / evasion | Detection bypass | BID34895 TZO-20-2009 |
blog.zoller.lu |
| 2009 | F-Prot | CAB bypass / evasion | Detection bypass | BID34896 TZO-21-2009 |
blog.zoller.lu |
| 2009 | Avira AntiVir | Generic evasion (PDF) | Detection bypass | BID35008 TZO-22-2009 |
blog.zoller.lu |
| 2009 | Bitdefender | Generic evasion (PDF) | Detection bypass | BID35010 | SecurityFocus |
| 2009 | Symantec | Generic PDF detection bypass (scantime + runtime) | Detection bypass | n/a | g-sec.lu |
| 2009 | F-Secure | Generic PDF detection bypass (scantime + runtime) | Detection bypass | n/a | g-sec.lu |
| 2009 | McAfee | Generic PDF detection bypass (scantime + runtime) | Detection bypass | n/a | g-sec.lu |
| 2009 | Panda | Generic evasion (CAB) | Detection bypass | BID35027 TZO-24-2009 |
blog.zoller.lu |
| 2009 | Panda | Generic evasion (TAR) | Detection bypass | BID35027 TZO-25-2009 |
blog.zoller.lu |
| 2009 | IBM Proventia | Multiple bypasses (forced release) | Detection bypass | BID34345 TZO-04-2009 |
blog.zoller.lu |
| 2020 | Avira | Generic bypass (ISO) | Detection bypass | CVE-2020-9320 TZO-001-2020 |
zoller.lu (PDF) |
| 2020 | Kaspersky | Generic bypass (ZIP) | Detection bypass | TZO-002-2020 | zoller.lu (PDF), support.kaspersky.com |
| 2020 | ESET | Generic bypass (ZIP Compression Information) | Detection bypass | CVE-2020-9264 TZO-003-2020 |
zoller.lu (PDF) |
| 2020 | Bitdefender | Generic archive bypass (GZ2) | Detection bypass | TZO-004-2020 | blog.zoller.lu |
| 2020 | Kaspersky | Generic bypass II (ZIP) | Detection bypass | TZO-005-2020 | blog.zoller.lu, support.kaspersky.com |
| 2020 | Bitdefender | Generic archive bypass (ZIP) | Detection bypass | TZO-007-2020 | blog.zoller.lu |
| 2020 | Bitdefender | Generic archive bypass (ZIP II) | Detection bypass | TZO-008-2020 | blog.zoller.lu |
| 2020 | Bitdefender | Generic archive bypass (RAR I) | Detection bypass | TZO-009-2020 | blog.zoller.lu |
| 2020 | Bitdefender | Generic archive bypass (RAR II) | Detection bypass | TZO-010-2020 | blog.zoller.lu |
| 2020 | ESET | Generic bypass (BZ2 checksum / GZIP) | Detection bypass | CVE-2020-10180 TZO-011-2020 |
blog.zoller.lu |
| 2020 | Avira | Generic bypass (ZIP) | Detection bypass | TZO-012-2020 | blog.zoller.lu |
| 2020 | Avira | Generic AV bypass (ZIP GPFLAG) | Detection bypass | TZO-013-2020 | blog.zoller.lu |
| 2020 | F-Secure | Generic malformed-container bypass (RAR) | Detection bypass | TZO-015-2020 | blog.zoller.lu |
| 2020 | Kaspersky | Generic archive bypass (ZIP FLNMLEN) | Detection bypass | TZO-017-2020 | blog.zoller.lu, support.kaspersky.com |
| 2020 | Bitdefender | Malformed archive bypass (GZIP) | Detection bypass | TZO-018-2020 | blog.zoller.lu |
| 2020 | Fortinet - FortiClient / FortiOS AV engine | Malformed RAR archive evades AV detection (CVSS 3.1: 4.7) | Detection bypass / DoS | CVE-2020-9295 | fortiguard.com |
| 2020 | F-Secure | Generic malformed-container bypass (GZIP) | Detection bypass | CVE-2020-9342 TZO-016-2020 |
blog.zoller.lu |
| 2020 | Quick Heal | Malformed archive bypass (ZIP GPFLAG) | Detection bypass | CVE-2020-9362 TZO-020-2020 |
blog.zoller.lu |
| 2020 | Sophos | Generic archive bypass (ZIP) | Detection bypass | CVE-2020-9363 | sophos.com |
| 2020 | Avast | Generic archive bypass (ZIP) | Detection bypass | CVE-2020-9399 TZO-023-2020 |
blog.zoller.lu |
| 2020 | Multiple (Qihoo 360, G-DATA, eScan, Rising, Command, K7 Computing, Ahnlab, Dr. Web, Webroot) | Generic malformed-archive bypass across multiple unpatched engines (reverse-coordinated disclosure) | Detection bypass | n/a | seclists.org |
Web Application Vulnerabilities
| Year | Vendor / Product | Vulnerability | Type | CVE / BID | Advisory |
|---|---|---|---|---|---|
| 2013 | EMC Document Sciences xPression (4.2 < Patch 26; 4.5 < Patch 05) | Path traversal - arbitrary file read via model.logFileName (xDashboard) |
Path traversal | CVE-2013-6177 | kb.cert.org |
| 2013 | EMC Document Sciences xPression | SQL injection (xAdmin, multiple parameters) | SQL injection | CVE-2013-6176 | kb.cert.org |
| 2013 | EMC Document Sciences xPression | Stored and reflected XSS (xAdmin / xDashboard) | Cross-site scripting | CVE-2013-6175 | kb.cert.org |
| 2013 | EMC Document Sciences xPression | Open redirect via redirectURL (xAdmin) |
Open redirect | CVE-2013-6174 | kb.cert.org |
| 2013 | EMC Document Sciences xPression | Cross-site request forgery (xAdmin / xDashboard) | CSRF | CVE-2013-6173 | kb.cert.org |
| 2013 | Wave Systems - EMBASSY Remote Administration Server (ERAS 2.8.4 / 2.9.5 Help Desk) | Blind SQL injection in ERAS Help Desk application | SQL injection | CVE-2013-3577 | kb.cert.org |
| 2013 | Wave Systems - EMBASSY Remote Administration Server (ERAS 2.8.4 / 2.9.5 Help Desk) | Stacked-query SQL injection leading to OS command execution | OS command injection | CVE-2013-3578 | kb.cert.org |
Reported via Verizon Enterprise Solutions - Threat & Vulnerability Management (GCIS). EMC xPression: CVSS base 6.8 (path traversal), public 20 Nov 2013, CERT/CC note 2 Dec 2013. Wave EMBASSY (ERAS): fixed in ERAS 2.9.5 SP2, public 12 Jul 2013 (rev. 30 Jul 2014).
Denial of Service, Privilege Escalation, and Other
| Year | Vendor / Product | Vulnerability | Type | CVE / BID | Advisory |
|---|---|---|---|---|---|
| 2014 | Pulse Connect Secure (PCS) - Linux Network Connect client | Local privilege escalation - non-root user escalates to root on the client system | Local privilege escalation | CVE-2014-2292 | hub.ivanti.com |
| 2009 | Avira AntiVir | Multiple remote denial of service (RAR) | Denial of service | BID33270 TZO-01-2009 |
blog.zoller.lu |
| 2009 | Avira AntiVir | Privilege escalation | Privilege escalation | BID33291 TZO-02-2009 |
blog.zoller.lu |
| 2009 | Apple QuickTime 7.4.1 | Null pointer dereference - denial of service | Denial of service | BID35359 | SecurityFocus |
| 2009 | Apple - Safari / QuickTime | Denial of service (browser/plugin crash); Apple acknowledged as security-related but issued no credit or advisory | Denial of service | n/a | seclists.org |
| 2009 | Mozilla Firefox | Denial of service (unclamped loop) - forced disclosure | Denial of service | CVE-2009-1827 TZO-26-2009 |
blog.zoller.lu |
| 2009 | Mozilla Firefox | Denial of service (keygen) - forced disclosure | Denial of service | CVE-2009-1828 BID35132 TZO-27-2009 |
blog.zoller.lu |
| 2006 | Safe'n'Sec | HIPS & Anti-Spyware privilege escalation | Privilege escalation | TZO-04-2006 | secdev.zoller.lu |
| 2006 | XAMPP | Multiple privilege escalation and rogue autostart | Privilege escalation | TZO-05-2006 | secdev.zoller.lu |
| 2006 | WehnTrust | Privilege escalation | Privilege escalation | TZO-06-2006 | secdev.zoller.lu |
| 2006 | Zango Adware | Insecure auto-update and remote file execution | Remote file execution | TZO-07-2006 | secdev.zoller.lu |
| 2005 | Mozilla Firefox | Silent adware install (proof of concept) | Insecure install | TZO-02-2005 | secdev.zoller.lu |
| 2005 | Check Point | VPN-1 SecureClient privilege escalation | Privilege escalation | TZO-03-2005 | secdev.zoller.lu |

