Discovered 18 vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) including multiple stack and heap buffer overflows for remote code execution, admin password hash extraction, plaintext credential leakage, stored and reflected XSS, and arbitrary file disclosure. CVE-2019-15240 through CVE-2019-15258. Co-researched with Alex Weber.
Discovered Vulnerabilities
The public ones.
Found 6 vulnerabilities in ASUSTOR NAS devices running ADM 3.1.5 and below. Authenticated file upload leading to remote code execution, arbitrary file deletion via path traversal, account enumeration, file disclosure for both user and admin roles, and a man-in-the-middle XSS via update checks. CVE-2018-15694 through CVE-2018-15699.
Local privilege escalation to root in IBM Netezza Platform Software. A setuid root binary executed a Perl script from a world-writable directory, allowing unprivileged users to inject code and gain root access. CVE-2018-1460.
Authenticated RCE in Firebird database server. By declaring external user-defined functions with incompatible parameter types, an attacker could overwrite function pointers and achieve SYSTEM-level code execution. CVE-2017-11509.