Links to some public security issues I have found and reported. I do not posts the exploits here.
|CVE-2009-2415||Remote code execution (as root on Debian Etch) using integer overflows in memcached.|
|CVE-2009-2906||Debian local root using race condition in Samba's
|CVE-2010-0393||Debian local root using an untrusted locale file leading to a format string exploit in CUPS
|CVE-2013-0132 & CVE-2013-0133||Multi-step local root using insecure custom
|Salt 126.96.36.199.2||Salt Stack generated all RSA keys with an exponent of 1 (i.e., no encryption).|
|Salt 188.8.131.52.1||A path traversal bug allowed anyone to connect as a minion to a Salt master.|
|Salt 184.108.40.206.3||A logic bug allowed any minion to run commands as root on the Salt master.|
Some of my writeups of interesting challenges I've solved during various CTFs with our Dutch CTF team, the Eindbazen. Unfortunately we haven't been playing as much recently as everyone is busy with other things, but in 2012 and 2013 we were ranked third in the world.
"Harry Potter" from PlaidCTF 2014
Exploit a network buffer overflow. Bypass stack smashing protection using C++ exceptions.
"Kappa" from PlaidCTF 2014
Reverse engineering a network service, find and exploiting a type confusion vulnerability, using information leaks to resolve libc symbols.
"ropasaurusrex" from PlaidCTF 2013
Very basic stack buffer overflow exploit using 2-stage ROP exploit for NX and ASLR bypass.
"pyjail" from PlaidCTF 2013
Getting a shell from Python eval(), with a very restricted set of allowed characters, a low character count limit, and a nearly empty environment.
"shop" from 29C3 CTF
Recovering plaintext from an AES-OFB encrypted value using a padding oracle.
"Web 42" from 29C3 CTF
Reverse engineering obfuscated Python bytecode.
"servr" from PlaidCtf 2013
Remotely exploiting a Linux kernel heap overflow.
"giga" from PlaidCTF 2013
Recovering RSA private keys when a low-entropy random number generator is used, determining the public key using an oracle.
"dethstarr" from SecuInside 2012
Reverse engineering, multi-stage ROP with tight buffer size constraints.
"RSA" from PlaidCTF 2012
Decrypting 4096 bit RSA using bruteforce (possible because the plaintext is short and unpadded, and the RSA public exponent is 3).
"Khazad" from Ghost in the Shellcode 2012 finals
Reverse engineering and exploiting a backdoor hidden in the DWARF exception unwinding metadata of a C++ binary.
"ps3game" from RWTHCTF 2011
Reverse engineering and bypassing a kernel module that validates network traffic using an RSA/TEA based cryptographic signature scheme.
Email: email@example.com (GPG key available on request)