Over the past two decades I have discovered, analysed, and coordinated the responsible disclosure of a large number of software and protocol vulnerabilities, spanning web browsers, antivirus and security products, enterprise appliances, and core internet protocols. The below is my documentation of that :

Contents

Heavy Hitters - Remote Code Execution and Protocol-Level Flaws

Year Vendor / Product Vulnerability Type Severity CVE / BID Advisory
2009 Apple - WebKit (Safari < 4.0 desktop, iPhone OS 1.0-2.2.1, iPod touch 1.1-2.2.1) Uninitialised pointer in CSS attr() handling with large numeric argument (reported 26 Mar 2009, coordinated release 8 Jun 2009). Two paired advisories: iPhone (HT3639) and desktop Safari 4.0 (HT3613) Remote code execution Critical CVE-2009-1698
BID35318
GSEC-TZO-45-2009
g-sec.lu, ZDI
2008 Microsoft - Internet Explorer 5.01 SP4 / 6 / 7 HTML Objects Memory Corruption (uninitialised memory access) Remote code execution Critical (MS08-058) CVE-2008-3476
BID31618
MS08-058 (Microsoft), SecurityFocus BID31618
2009 Sun / Oracle - Java VM (JVM 6 Update 1 & 2) Java Virtual Machine memory-corruption flaw Remote code execution High BID34667
TZO-12-2009
blog.zoller.lu
2007 Citrix - SSL-VPN (Access Gateway) Pre-authentication remote code execution / information disclosure Remote code execution (pre-auth) High CVE-2006-6573 kb.cert.org
2006 F-Secure - Anti-Virus (ZIP / RAR engine) Archive-parser flaw enabling code execution Remote code execution Highly critical CVE-2006-0338 f-secure.com
2009 CA (Computer Associates) - Anti-Virus Engine, arclib component Malformed RAR archive causes heap corruption, allowing remote code execution Remote code execution (heap corruption) Medium CVE-2009-3587
BID36653
broadcom.com
2009 CA (Computer Associates) - Anti-Virus Engine, arclib component Malformed RAR archive causes stack corruption (DoS) Stack corruption / DoS Medium CVE-2009-3588 broadcom.com
2009 Cross-platform - IE 5-8, Firefox, Safari, Opera, Chrome, Konqueror, SeaMonkey, Netscape; iPhone/iPod, Android G1, BlackBerry, Nokia, Siemens, Nintendo Wii, Sony PS3 "One bug to rule them all" - single select.length call with a large integer exhausts memory across nearly every JavaScript-capable browser/device Denial of service (memory exhaustion; null-ptr deref to OS reboot) Cross-platform CVE-2009-1692 (Apple/WebKit) CVE-2009-2537 (Konqueror) CVE-2009-2538 (Nokia/Symbian) CVE-2009-2539 (Microsoft IE 5-8) CVE-2009-2540 (Opera)
GSEC-TZO-44-2009
g-sec.lu
2009 Microsoft - IIS 5.1 / 6.0 WebDAV Remote authentication bypass via unicode/path handling (discovered and publicly disclosed by Nikolaos Rangos; my contribution was the independent technical analysis and detection tooling, cited by US-CERT TA09-160A and the Nmap http-iis-webdav-vuln script) Authentication bypass (analysis / tooling) High CVE-2009-1535 blog.zoller.lu
2009 TLS / SSLv3 protocol (all implementations) Renegotiation plaintext-injection (protocol design flaw) - canonical practitioner whitepaper + PoC Man-in-the-middle / plaintext injection High (industry-wide) CVE-2009-3555 Whitepaper (g-sec.lu)
2010 VMware - Workstation 7.0 (< 7.0.1 build 227600) / Player 3.0 (< 3.0.1 build 227600), Windows USB service loads a Trojan executable from an unspecified host path Local privilege escalation Medium (CVSS 2.0: 6.9) CVE-2010-1140
BID39397
VMSA-2010-0007
2008 JSCAPE - Secure FTP Applet / SSH (<= 4.8.0; fixed 4.9.0) SSH host key not verified or displayed on connect, enabling man-in-the-middle (login/password/data extraction); reported 2006, released 2008 Man-in-the-middle High (CVSS 2.0: 7.5) CVE-2008-5124
BID29882
SecurityFocus
2013 WatchGuard - XTM / XTMv (Fireware <= 11.7.4) Stack buffer overflow in WGagent parsing oversized cookie sessionid on web mgmt interface (TCP/8080); unauthenticated RCE Remote code execution (pre-auth) Critical (CVSS 2.0: 9.3) CVE-2013-6021 kb.cert.org
2013 WatchGuard - WSM / Fireware (< 11.8) WebCenter Multiple reflected cross-site scripting in WebCenter management UI Cross-site scripting Medium CVE-2013-6022 kb.cert.org
2013 Symantec - Endpoint Protection Manager (SEPM 12.1.x < 12.1.3) / Protection Center (SPC 12.0.x SBE) Buffer overflow in secars.dll management console; unauthenticated remote code execution Remote code execution (pre-auth) High CVE-2013-1612
BID60542
Symantec advisory
2013 McAfee - ePolicy Orchestrator (ePO < 4.5.7, 4.6.x < 4.6.6) Pre-auth SQL injection in Agent-Handler over Agent-Server channel (chains to RCE) SQL injection (pre-auth) High CVE-2013-0140
BID59500
kb.cert.org
2013 McAfee - ePolicy Orchestrator (ePO < 4.5.7, 4.6.x < 4.6.6) Pre-auth directory traversal / arbitrary file upload over Agent-Server channel (chains to RCE) Path traversal / file upload (pre-auth) High CVE-2013-0141
BID59505
kb.cert.org

Antivirus / Security-Product Evasion and Bypass

Part of the "Death of AV Defense in Depth?" research programme (Hack.lu 2007, CanSecWest 2008). Most evasion-class findings were not assigned CVEs by vendors.

Year Vendor / Product Vulnerability Type CVE / BID Advisory
2006 F-Secure Anti-Virus bypass Detection bypass CVE-2006-0337 CVE-2006-0337
2005 F-Prot Antivirus bypass (ZIP) Detection bypass CVE-2005-3499
BID15293
TZO-01-2005
secdev.zoller.lu, INCIBE
2008 F-Secure CAB / RAR evasion Detection bypass n/a f-secure.com
2007 F-Secure Scan bypass via crafted LHA / RAR archive header fields Detection bypass n/a f-secure.com
2009 CA (Computer Associates) - Anti-Virus Engine Multiple detection-evasion flaws (malformed archives) - remote attacker evades detection Detection bypass CVE-2009-0042
BID33464
blog.zoller.lu
2009 ClamAV (< 0.95) Generic evasion / bypass (malformed archive) Detection bypass CVE-2009-1241
BID34344
TZO-05-2009
blog.zoller.lu
2009 ClamAV (< 0.95.2) Generic evasion (RAR / ZIP / CAB) - engine cannot extract while end-user can Detection bypass TZO-40-2009 blog.zoller.lu
2009 ClamAV (< 0.95.2) Generic evasion (CAB) Detection bypass TZO-43-2009 blog.zoller.lu
2009 Avira AntiVir Generic evasion (RAR / CAB / ZIP) Detection bypass TZO-28-2009 blog.zoller.lu
2009 Kaspersky Generic evasion (PDF) - forced disclosure after silent fix that did not work Detection bypass n/a seclists.org
2009 Ikarus Multiple generic evasions (CAB / ZIP / RAR) - patched after engine 1.1.58 Detection bypass TZO-31-2009 blog.zoller.lu
2009 Norman Generic evasion (RAR) Detection bypass TZO-32-2009 blog.zoller.lu
2009 F-Prot (Frisk) Generic evasion (TAR) - to be fixed in engine 4.5.0 Detection bypass TZO-33-2009 blog.zoller.lu
2009 F-Prot (Frisk) Generic evasion (RAR / ARJ / LHA) Detection bypass TZO-34-2009 blog.zoller.lu
2009 IBM Proventia Generic evasion (limited disclosure) Detection bypass TZO-06-2009 blog.zoller.lu
2009 F-Prot ZIP method-field evasion Detection bypass CVE-2005-3499
BID15293
TZO-07-2009
blog.zoller.lu
2009 Bitdefender Generic evasion (limited disclosure) Detection bypass BID34580 SecurityFocus
2009 Avast! Generic evasion (limited disclosure) Detection bypass BID34578
TZO-09-2009
blog.zoller.lu
2009 ESET NOD32 Generic evasion (limited disclosure) Detection bypass BID34764
TZO-10-2009
blog.zoller.lu
2009 Fortinet Generic evasion (limited disclosure) Detection bypass BID34583
TZO-11-2009
blog.zoller.lu
2009 Avira AntiVir ZIP evasion Detection bypass BID34723
TZO-13-2009
blog.zoller.lu
2009 Comodo RAR evasion Detection bypass BID34737
TZO-14-2009
blog.zoller.lu
2009 Aladdin eSafe Generic evasion / bypass Detection bypass BID34726
TZO-15-2009
blog.zoller.lu
2009 ESET NOD32 CAB bypass / evasion Detection bypass BID34764
TZO-16-2009
blog.zoller.lu
2009 Trend Micro RAR / ZIP / CAB evasion (no patch) Detection bypass BID34763
TZO-17-2009
blog.zoller.lu
2009 McAfee RAR / ZIP multiple evasions Detection bypass CVE-2009-1348
BID34780
TZO-18-2009
blog.zoller.lu
2009 AVG ZIP bypass / evasion Detection bypass BID34895
TZO-20-2009
blog.zoller.lu
2009 F-Prot CAB bypass / evasion Detection bypass BID34896
TZO-21-2009
blog.zoller.lu
2009 Avira AntiVir Generic evasion (PDF) Detection bypass BID35008
TZO-22-2009
blog.zoller.lu
2009 Bitdefender Generic evasion (PDF) Detection bypass BID35010 SecurityFocus
2009 Symantec Generic PDF detection bypass (scantime + runtime) Detection bypass n/a g-sec.lu
2009 F-Secure Generic PDF detection bypass (scantime + runtime) Detection bypass n/a g-sec.lu
2009 McAfee Generic PDF detection bypass (scantime + runtime) Detection bypass n/a g-sec.lu
2009 Panda Generic evasion (CAB) Detection bypass BID35027
TZO-24-2009
blog.zoller.lu
2009 Panda Generic evasion (TAR) Detection bypass BID35027
TZO-25-2009
blog.zoller.lu
2009 IBM Proventia Multiple bypasses (forced release) Detection bypass BID34345
TZO-04-2009
blog.zoller.lu
2020 Avira Generic bypass (ISO) Detection bypass CVE-2020-9320
TZO-001-2020
zoller.lu (PDF)
2020 Kaspersky Generic bypass (ZIP) Detection bypass TZO-002-2020 zoller.lu (PDF), support.kaspersky.com
2020 ESET Generic bypass (ZIP Compression Information) Detection bypass CVE-2020-9264
TZO-003-2020
zoller.lu (PDF)
2020 Bitdefender Generic archive bypass (GZ2) Detection bypass TZO-004-2020 blog.zoller.lu
2020 Kaspersky Generic bypass II (ZIP) Detection bypass TZO-005-2020 blog.zoller.lu, support.kaspersky.com
2020 Bitdefender Generic archive bypass (ZIP) Detection bypass TZO-007-2020 blog.zoller.lu
2020 Bitdefender Generic archive bypass (ZIP II) Detection bypass TZO-008-2020 blog.zoller.lu
2020 Bitdefender Generic archive bypass (RAR I) Detection bypass TZO-009-2020 blog.zoller.lu
2020 Bitdefender Generic archive bypass (RAR II) Detection bypass TZO-010-2020 blog.zoller.lu
2020 ESET Generic bypass (BZ2 checksum / GZIP) Detection bypass CVE-2020-10180
TZO-011-2020
blog.zoller.lu
2020 Avira Generic bypass (ZIP) Detection bypass TZO-012-2020 blog.zoller.lu
2020 Avira Generic AV bypass (ZIP GPFLAG) Detection bypass TZO-013-2020 blog.zoller.lu
2020 F-Secure Generic malformed-container bypass (RAR) Detection bypass TZO-015-2020 blog.zoller.lu
2020 Kaspersky Generic archive bypass (ZIP FLNMLEN) Detection bypass TZO-017-2020 blog.zoller.lu, support.kaspersky.com
2020 Bitdefender Malformed archive bypass (GZIP) Detection bypass TZO-018-2020 blog.zoller.lu
2020 Fortinet - FortiClient / FortiOS AV engine Malformed RAR archive evades AV detection (CVSS 3.1: 4.7) Detection bypass / DoS CVE-2020-9295 fortiguard.com
2020 F-Secure Generic malformed-container bypass (GZIP) Detection bypass CVE-2020-9342
TZO-016-2020
blog.zoller.lu
2020 Quick Heal Malformed archive bypass (ZIP GPFLAG) Detection bypass CVE-2020-9362
TZO-020-2020
blog.zoller.lu
2020 Sophos Generic archive bypass (ZIP) Detection bypass CVE-2020-9363 sophos.com
2020 Avast Generic archive bypass (ZIP) Detection bypass CVE-2020-9399
TZO-023-2020
blog.zoller.lu
2020 Multiple (Qihoo 360, G-DATA, eScan, Rising, Command, K7 Computing, Ahnlab, Dr. Web, Webroot) Generic malformed-archive bypass across multiple unpatched engines (reverse-coordinated disclosure) Detection bypass n/a seclists.org

Web Application Vulnerabilities

Year Vendor / Product Vulnerability Type CVE / BID Advisory
2013 EMC Document Sciences xPression (4.2 < Patch 26; 4.5 < Patch 05) Path traversal - arbitrary file read via model.logFileName (xDashboard) Path traversal CVE-2013-6177 kb.cert.org
2013 EMC Document Sciences xPression SQL injection (xAdmin, multiple parameters) SQL injection CVE-2013-6176 kb.cert.org
2013 EMC Document Sciences xPression Stored and reflected XSS (xAdmin / xDashboard) Cross-site scripting CVE-2013-6175 kb.cert.org
2013 EMC Document Sciences xPression Open redirect via redirectURL (xAdmin) Open redirect CVE-2013-6174 kb.cert.org
2013 EMC Document Sciences xPression Cross-site request forgery (xAdmin / xDashboard) CSRF CVE-2013-6173 kb.cert.org
2013 Wave Systems - EMBASSY Remote Administration Server (ERAS 2.8.4 / 2.9.5 Help Desk) Blind SQL injection in ERAS Help Desk application SQL injection CVE-2013-3577 kb.cert.org
2013 Wave Systems - EMBASSY Remote Administration Server (ERAS 2.8.4 / 2.9.5 Help Desk) Stacked-query SQL injection leading to OS command execution OS command injection CVE-2013-3578 kb.cert.org

Reported via Verizon Enterprise Solutions - Threat & Vulnerability Management (GCIS). EMC xPression: CVSS base 6.8 (path traversal), public 20 Nov 2013, CERT/CC note 2 Dec 2013. Wave EMBASSY (ERAS): fixed in ERAS 2.9.5 SP2, public 12 Jul 2013 (rev. 30 Jul 2014).

Denial of Service, Privilege Escalation, and Other

Year Vendor / Product Vulnerability Type CVE / BID Advisory
2014 Pulse Connect Secure (PCS) - Linux Network Connect client Local privilege escalation - non-root user escalates to root on the client system Local privilege escalation CVE-2014-2292 hub.ivanti.com
2009 Avira AntiVir Multiple remote denial of service (RAR) Denial of service BID33270
TZO-01-2009
blog.zoller.lu
2009 Avira AntiVir Privilege escalation Privilege escalation BID33291
TZO-02-2009
blog.zoller.lu
2009 Apple QuickTime 7.4.1 Null pointer dereference - denial of service Denial of service BID35359 SecurityFocus
2009 Apple - Safari / QuickTime Denial of service (browser/plugin crash); Apple acknowledged as security-related but issued no credit or advisory Denial of service n/a seclists.org
2009 Mozilla Firefox Denial of service (unclamped loop) - forced disclosure Denial of service CVE-2009-1827
TZO-26-2009
blog.zoller.lu
2009 Mozilla Firefox Denial of service (keygen) - forced disclosure Denial of service CVE-2009-1828
BID35132
TZO-27-2009
blog.zoller.lu
2006 Safe'n'Sec HIPS & Anti-Spyware privilege escalation Privilege escalation TZO-04-2006 secdev.zoller.lu
2006 XAMPP Multiple privilege escalation and rogue autostart Privilege escalation TZO-05-2006 secdev.zoller.lu
2006 WehnTrust Privilege escalation Privilege escalation TZO-06-2006 secdev.zoller.lu
2006 Zango Adware Insecure auto-update and remote file execution Remote file execution TZO-07-2006 secdev.zoller.lu
2005 Mozilla Firefox Silent adware install (proof of concept) Insecure install TZO-02-2005 secdev.zoller.lu
2005 Check Point VPN-1 SecureClient privilege escalation Privilege escalation TZO-03-2005 secdev.zoller.lu