Tavis Ormandy

90 exploits Active since Dec 2005
CVE-2010-3847 METASPLOIT ruby WORKING POC
glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation
elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory.
CVE-2013-1662 METASPLOIT ruby WORKING POC
VMware Workstation 8.x-9.x and Player 4.x-5.x - Privilege Escalation via PATH lsb_release Hijacking
vmware-mount in VMware Workstation 8.x and 9.x and VMware Player 4.x and 5.x, on systems based on Debian GNU/Linux, allows host OS users to gain host OS privileges via a crafted lsb_release binary in a directory in the PATH, related to use of the popen library function.
CVE-2009-2692 METASPLOIT HIGH ruby WORKING POC
Linux kernel <2.6.30.4, <2.4.37.4 - Privilege Escalation
The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.
CVSS 7.8
CVE-2015-1318 METASPLOIT ruby WORKING POC
Apport <2.17.1 - Privilege Escalation
The crash reporting feature in Apport 2.13 through 2.17.x before 2.17.1 allows local users to gain privileges via a crafted usr/share/apport/apport file in a namespace (container).
CVE-2012-4177 EXPLOITDB ruby WORKING POC
Ubisoft Uplay PC < 2.0.4 - Remote Code Execution via -orbit_exe_path Argument
The web browser plugin for Ubisoft Uplay PC before 2.0.4 allows remote attackers to execute arbitrary programs via the -orbit_exe_path command line argument.
CVE-2016-3987 EXPLOITDB CRITICAL html WORKING POC
Trend Micro Password Manager - Command Injection
The HTTP server in Trend Micro Password Manager allows remote web servers to execute arbitrary commands via the url parameter to (1) api/openUrlInDefaultBrowser or (2) api/showSB.
CVSS 9.8
CVE-2010-2265 EXPLOITDB text WORKING POC
Windows XP and Server 2003 - Cross-Site Scripting via Help and Support Center svr Parameter
Cross-site scripting (XSS) vulnerability in the GetServerName function in sysinfo/commonFunc.js in Microsoft Windows Help and Support Center for Windows XP and Windows Server 2003 allows remote attackers to inject arbitrary web script or HTML via the svr parameter to sysinfo/sysinfomain.htm. NOTE: this can be leveraged with CVE-2010-1885 to execute arbitrary commands without user interaction.
CVE-2010-1885 EXPLOITDB text WRITEUP
Windows XP and Windows Server 2003 - Remote Code Execution via Malformed hcp:// URL
The MPC::HexToNum function in helpctr.exe in Microsoft Windows Help and Support Center in Windows XP and Windows Server 2003 does not properly handle malformed escape sequences, which allows remote attackers to bypass the trusted documents whitelist (fromHCP option) and execute arbitrary commands via a crafted hcp:// URL, aka "Help Center URL Validation Vulnerability."
CVE-2010-1885 EXPLOITDB ruby WORKING POC
Windows XP and Windows Server 2003 - Remote Code Execution via Malformed hcp:// URL
The MPC::HexToNum function in helpctr.exe in Microsoft Windows Help and Support Center in Windows XP and Windows Server 2003 does not properly handle malformed escape sequences, which allows remote attackers to bypass the trusted documents whitelist (fromHCP option) and execute arbitrary commands via a crafted hcp:// URL, aka "Help Center URL Validation Vulnerability."
CVE-2010-0886 EXPLOITDB text WORKING POC
Oracle Java SE/JDK/JRE <6.20 - Info Disclosure
Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE and Java for Business JDK and JRE 6 Update 10 through 19 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
CVE-2013-0008 EXPLOITDB ruby WORKING POC
Windows Vista/7/8, Server 2008/2012, RT - Privilege Escalation via Win32k Window Broadcast
win32k.sys in the kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7 Gold and SP1, Windows 8, Windows Server 2012, and Windows RT does not properly handle window broadcast messages, which allows local users to gain privileges via a crafted application, aka "Win32k Improper Message Handling Vulnerability."
CVE-2010-0233 EXPLOITDB c WORKING POC
Microsoft Windows - Memory Corruption
Double free vulnerability in the kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows local users to gain privileges via a crafted application, aka "Windows Kernel Double Free Vulnerability."
CVE-2013-3661 EXPLOITDB c WORKING POC
Microsoft Windows - Denial of Service via EPATHOBJ::bFlatten Path Traversal
The EPATHOBJ::bFlatten function in win32k.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT does not check whether linked-list traversal is continually accessing the same list member, which allows local users to cause a denial of service (infinite traversal) via vectors that trigger a crafted PATHRECORD chain.
CVE-2010-0232 EXPLOITDB HIGH text WRITEUP
Windows SYSTEM Escalation via KiTrap0D
The kernel in Microsoft Windows NT 3.1 through Windows 7, including Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, and Windows Server 2008 Gold and SP2, when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which allows local users to gain privileges by crafting a VDM_TIB data structure in the Thread Environment Block (TEB), and then calling the NtVdmControl function to start the Windows Virtual DOS Machine (aka NTVDM) subsystem, leading to improperly handled exceptions involving the #GP trap handler (nt!KiTrap0D), aka "Windows Kernel Exception Handler Vulnerability."
CVSS 7.8
CVE-2013-3661 EXPLOITDB ruby WORKING POC
Microsoft Windows - Denial of Service via EPATHOBJ::bFlatten Path Traversal
The EPATHOBJ::bFlatten function in win32k.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT does not check whether linked-list traversal is continually accessing the same list member, which allows local users to cause a denial of service (infinite traversal) via vectors that trigger a crafted PATHRECORD chain.
CVE-2010-1890 EXPLOITDB text WORKING POC
Windows 7, Windows Server 2008, and Windows Vista - Denial of Service via Kernel Object ACL Validation
The kernel in Microsoft Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly validate ACLs on kernel objects, which allows local users to cause a denial of service (reboot) via a crafted application, aka "Windows Kernel Improper Validation Vulnerability."
CVE-2010-1889 EXPLOITDB HIGH text WORKING POC
Windows Vista SP1-SP2 & Server 2008 Gold-SP2 - Local Privilege Escalation via Kernel Error
Double free vulnerability in the kernel in Microsoft Windows Vista SP1 and SP2, and Windows Server 2008 Gold and SP2, allows local users to gain privileges via a crafted application, related to object initialization during error handling, aka "Windows Kernel Double Free Vulnerability."
CVSS 7.8
CVE-2010-1888 EXPLOITDB text WORKING POC
Windows XP SP3 - Local Privilege Escalation via Thread Creation Race Condition
Race condition in the kernel in Microsoft Windows XP SP3 allows local users to gain privileges via vectors involving thread creation, aka "Windows Kernel Data Initialization Vulnerability."
EIP-2026-115783 EXPLOITDB c WORKING POC
Microsoft Windows - Touch Injection API Local Denial of Service
CVE-2013-3661 EXPLOITDB text WORKING POC
Microsoft Windows - Denial of Service via EPATHOBJ::bFlatten Path Traversal
The EPATHOBJ::bFlatten function in win32k.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT does not check whether linked-list traversal is continually accessing the same list member, which allows local users to cause a denial of service (infinite traversal) via vectors that trigger a crafted PATHRECORD chain.
CVE-2010-1887 EXPLOITDB text WORKING POC
Microsoft Windows 2003 Server - Improper Input Validation
The Windows kernel-mode drivers in win32k.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 do not properly validate an unspecified system-call argument, which allows local users to cause a denial of service (system hang) via a crafted application, aka "Win32k Bounds Checking Vulnerability."
EIP-2026-115784 EXPLOITDB text WRITEUP
Microsoft Windows - Win32k!xxxRealDrawMenuItem() Missing HBITMAP Bounds Checks
EIP-2026-115505 EXPLOITDB text WRITEUP
Kaspersky AntiVirus - Certificate Handling Directory Traversal
CVE-2017-8558 EXPLOITDB HIGH text WORKING POC
Microsoft Malware Protection Engine - Remote Code Execution via Crafted File Scan
The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on 32-bit versions of Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703 does not properly scan a specially crafted file leading to memory corruption. aka "Microsoft Malware Protection Engine Remote Code Execution Vulnerability".
CVSS 7.8
EIP-2026-104084 EXPLOITDB text WRITEUP
Sophos Products - Multiple Vulnerabilities