Throughout my long career in the field of information security officially I was more on the protecting side (but I am growing my focus and abilities on the offensive side (A.K.A. “the dark side of the force”…)), but I always act in a way that challenges the defenses and tries to think and act as an attacker, to test the defenses in order to have a complete picture of the information security posture. This behavior has led me quite a few times to find vulnerabilities and weaknesses of various types, and these findings are detailed below, including mentions of appreciation I have received from various manufacturers and organizations:
2020 – Government of Israel – Information Security reporting “Hall of Fame” member
I am glad that after many years of reporting findings regarding information security issues in the Israeli government digital infrastructure – justice has finally been served, and now that the state of Israel has created a “Hall of Fame” page for the ones who reported information security issues in the Israeli government digital infrastructure – they have added my name as a member of this “Hall of fame“
2002 – Microsoft – Exchange 2000, MS02-003, Vulnerability found, CVE-2002-0049 – Exchange 2000 System Attendant Incorrectly Sets Remote Registry Permissions
While hardening a Microsoft Exchange Email and messaging server I noticed that a specific hardening action I made – was constantly canceled after server reboot, so I turned to the Microsoft security team…
Microsoft security advisory
SecurityFocus Bugtraq advisory
Mitre CVE-2002-0049
2002 – Microsoft – Windows 2000 & XP – Security related bug found – “Defined Actions for Administrative Alerts Do Not Occur When the Security Log Is Full”
honor datehonor descriptionMicrosoft Windows 2000 and XP can be configured to send administrative alerts when certain events are recorded in the Event Log.
If the option ‘Do not overwrite events (clear log manually)’ is selected and the Event Log has reached its maximum allowed size, administrative alerts will not be sent
SecurityFocus Bugtraq advisory
The original Microsoft technical KB article (not present anymore) was https://support.microsoft.com/?kbid=329350, but it is archived at the Internet Archive site, with my name mentioned
2002 – Microsoft – Windows XP – Vulnerability Found – User downgraded from Administrator to User retains the ability to list other user’s running processes
honor datehonor descriptionMicrosoft Windows XP contains a feature called Fast User Switching (FUS). This allows multiple users to be concurrently logged onto the system; only one user can interact with the system at a time.
There is a weakness in FUS that could allow a user that was previously a member of the Administrators group to still view other users’ processes. If the user enabled the ability to view other users’ processes while they were a member of the Administrators group, they will still be able to do this after they are removed from the Administrators group
SecurityFocus Bugtraq post by me
SecurityFocus Bugtraq advisory
2003 – HP Compaq – Vulnerability found – “Compaq Web Agent” management session can be re-used without the need to perform authentication
honor datehonor descriptionHP Compaq Web Agent sessions will persist until expiration after an authenticated user closes their browser. This condition occurs if the authenticated user does not manually log out from the Compaq Web Agents interface.
This issue may make it possible for the unexpired session to be reused under some circumstances by a malicious user. Successful exploitation may allow the attacker to gain unauthorized access to the Compaq Web Agents interface or gain access to a different user role for the interface and perform actions with elevated privileges
SecurityFocus Bugtraq post by me
SecurityFocus Bugtraq advisory
2003 – Microsoft – Vulnerability found – Windows XP “welcome screen” exposes the names of all the members of the local administrators group
honor datehonor descriptionIn Windows XP, if it is in a “Workgroup” management mode and “Fast User Switching” is enabled – when booting the machine into “safe mode”, the welcome screen is loading a different list of names: a list made ONLY of ALL the members of the local “Administrators” group (including the original, built-in, “administrator” account, even if it was renamed)
SecurityFocus Bugtraq post by me
SecurityFocus Bugtraq advisory
2005 – Symantec – Security related bug – Symantec Antivirus client locally created scheduled scan is not running if the local console is logged off
honor datehonor descriptionA scheduled virus scan created locally at the Symantec Antivirus client interface (vs. a scheduled scan created at the central SAV server and enforced onto the client (Both types of scans can co-exist within a managed client)) – will not start running if at the specific date and time the scan should have run – the client’s host console interface is logged off (i.e. no user is logged on at the local console).
Hosts with a role of “server” are most of the time in a “log off” mode.
SecurityFocus Bugtraq post by me
2006 – Novell – Vulnerability found, CVE-2006-2612 – Novell Client login form enables reading and writing from and to the clipboard of the logged-in user
honor datehonor descriptionNovell Client for Windows 4.8 and 4.9 does not restrict access to the clipboard contents while a machine is locked, which allows users with physical access to read the current clipboard contents by pasting them into the “User Name” field on the login prompt
SecurityFocus Bugtraq post by me
Mitre CVE-2006-2612
IBM X-Force advisory
2006 – McAfee – Vulnerability found, CVE-2006-4886 – McAfee VirusScan Enterprise – disabling the client side “On-Access Scan”
honor datehonor descriptionMcAfee VirusScan could allow a local attacker to bypass security settings caused by a vulnerability in the On-Access system tray icon. The On-Access system tray icon for enabling or disabling the security features is accessible for a few seconds after being loaded or accessed for the first time. A local attacker could disable the security setting, leaving the system vulnerable and bypassing settings that were locked by the administrator
SecurityFocus Bugtraq post by me
Mitre CVE-2006-4886
IBM X-Force advisory
2007 – VMware – Vulnerability found, CVE-2007-1056 – VMware Workstation multiple denial of service and isolation manipulation vulnerabilities
SecurityFocus Bugtraq by me
Mitre CVE-2007-1056
2007 – VMware – Vulnerability found – CVE-2007-0833 – VMware workstation guest isolation weaknesses (clipboard transfer)
honor datehonor descriptionVMware is prone to two information-disclosure vulnerabilities because of multiple design errors in the clipboard plugin.
An attacker can exploit these issues to obtain sensitive information that may lead to further attacks.
SecurityFocus post by me
SecurityFocus Bugtraq advisory
Mitre CVE-2007-0833
2007 – Microsoft – Vulnerability found – “run as” local denial-of-service enables administrative account processes to be killed
honor datehonor descriptionWhile a user, at any security membership level, is logged in locally, using the “run as” feature, it can kill all of the processes running under the user who initiated the “run as” feature, even if the initiating user has a security membership level higher than the user initiating the killing action under “run as”. The kill is performed using the taskkill.exe application which is built into Windows XP.
SecurityFocus Bugtraq post by me
2015 – F5 Networks – Possible vulnerability in F5 Networks BIG-IP LTM – Improper input validation of the HTTP version number of the HTTP request allows any payload size and content to pass through
honor datehonor descriptionInput data accepted for the HTTP version number section of the HTTP request is not enforced to be in the correct format, hence any payload content/format and size is getting through without being blocked immediately by an error or security reply, and only when the underlying TCP timeout is reached – only then the base TCP connection is ending by the server side (i.e. no HTTP response is accepted from the remote server side)
F5 Networks advisory
F5 Networks bug tracker
SecurityFocus Bugtraq post by me
The story behind this finding at my blog
2019 – Microsoft – Security exposures found on the online services
honor datehonor descriptionOn 31-May-2019 Microsoft published an acknowledgement for my help to it as I alerted it regarding multiple security exposures it had in its online services
Microsoft acknowledgment page for security researchers that reported security issues with Microsoft online services