Dec 31, 2009

8 years hacking Microsoft stuff, +50 vulnerabilities found

2009 is ending and I thought it would be nice to write down my personal record on Microsoft vulnerabilities. I started finding vulns in MS products in 2002 and these are most of them:

-Microsoft Biztalk Server ISAPI HTTP Receive function buffer overflow
-Microsoft Biztalk Server DTA vulnerable to SQL injection

-Microsoft Commerce Server 2002 Weak Registry Key Permissions Weakness

-Microsoft Active Server Pages Cookie Retrieval Issue

-Microsoft Windows LPC heap overflow

-Microsoft Windows Utility Manager Local Elevation of Privileges

-Microsoft Windows Utility Manager Local Elevation of Privileges II

-Microsoft Windows Improper Token Validation

-Microsoft Windows GDI Kernel Local Privilege Escalation Vulnerability

-Microsoft MSDTC COM+ Remote Code Execution Vulnerability

-Microsoft Windows 2000 TroubleShooter ActiveX Control Buffer Overflow Vulnerability

-Microsoft Windows COM Structured Storage Local Privilege Escalation Vulnerability

-Microsoft Windows Thread Pool ACL Local Privilege Escalation Vulnerability
-Microsoft Windows RPCSS Service Isolation Local Privilege Escalation Vulnerability
-Microsoft Windows MSDTC Service Isolation Vulnerability
-Microsoft Windows WMI Service Isolation Local Privilege Escalation Vulnerability

-Microsoft Windows Shell Could Allow Remote Code Execution (2 vulns)

-Microsoft SQL Server Heterogenous Queries Buffer Overflow

-Microsoft SQL Server xp_dirtree Buffer Overflow

-Microsoft SQL Server Buffer Overflows in numerous extended stored procedures (17 vulns)

-Microsoft SQL Server encoded password written by service pack

-Microsoft SQL Server BULK INSERT buffer overflow

-Microsoft SQL Server multiple buffer overflows in DBCC and SQL Injections (6 vulns)

-Microsoft SQL Server multiple vulnerabilities (5 vulns)


If you count them, they are 50 vulnerabilities in total, 14 are Microsoft Windows specific. Actually the real count should be +50, few not mentioned vulnerabilities were patched in service packs, new versions, not acknoledged by MS as vulnerabilities, etc.
Of course I'm not mentioning there the 0days I have, with them the count is >50, reaching 20 specific to MS Windows.

Microsoft should give me a prize someday ;)


Nico Waisman said...

Gran numero! Una trayectoria profesional.


Leonardo Pigñer said...

Awesome man! Congratulations and keep hacking ;-)

Hernán M. Racciatti said...

Hey! Congrats!, now... no more free bugs :P

Cesar Cerrudo said...

Thank you guys

BloggerPete said...

Nice work!
I just have to wonder why you would waste your brain power of such a lame OS.
There are so many other OS's that you could be working on and doing functional work verses finding broken pieces of a broken OS.
Sorry if I offend any but Microsoft is such a waste of time.

What OS were you using when PC-DOS was released in the wild?
I was using the version, "CPM-86" that Mr. Bill, "I copy the best and steal the rest" plagiarized and sold to IBM as PC-DOS!
It was disgusting!
Still is!