Menu:

Security Research

I am currently a full-time security researcher at the Fraunhofer SIT security test lab. Previously, I have been involved in security research both professionally at Cynops GmbH and independently and have discovered vulnerabilities in Firefox, Opera, Outlook and Office 2007, Adobe Reader as well as in some servers and services, oftentimes related to certificate handling. Below is a list of advisories I have published, you can find more research in the form of slides, papers and presentation recordings in the download section.

2009

2009/12/21: SQL-Ledger — various issues

I discovered several issues (XSS, SQL injection, LFI, …) in the open source ERP system SQL-Ledger. See the advisory for more details.

2008

2008/09/29: CAcert — non-persistent cross-site scripting

In September 2008, I discovered a non-persistent cross-site scripting vulnerability in cacert.org. This wouldn't normally make me write a security advisory, but as this was on the site of a certificate authority, I made an exception. See the advisory for more details.

2008/05/28: Opera — heap-based buffer overflow (CVE-2007-6521)

In October 2007, I discovered a heap-based buffer overflow in the certificate parsing of the Opera browser. The corresponding advisory was released in May 2008 right in time for my talk at EUSecWest.

2008/04/02: Apache-SSL — minor memory disclosure (CVE-2008-055)

In January 2008, I accidentally discovered that the parsing of client certificate DNs in Apache-SSL was faulty, leading to the possibility of overwriting parts of the DN and a minor memory disclosure. Details in the advisory.

2008/04/01: X.509 over HTTP

In January 2008, I discovered that the certificate parsing in Microsoft's CryptoAPI could be used to trigger unwanted HTTP requests. This vulnerability affects Outlook, Windows Live Mail and Office 2007. A proof of concept is available by sending an empty mail to smime-http@klink.name or downloading the prepared Word 2007 document. Details are available in a whitepaper. This vulnerability also generated some press (Heise UK, Heise Germany) and was a large part of my EuSecWest 2008 talk on Abusing X.509 certificate features.

2008/02/13: OpenCA — Cross Site Request Forgery (CVE-2008-0556)

In December 2007, I discovered a XSRF issue in OpenCA that could lead to the unauthorized issuance of certificates. Details in the advisory and on Heise UK and Heise Germany.

2007

2007/09/07: Firefox 2.0.x, 1.5 — automatic installation of TLS client certificates (CVE-2007-4879)

In September 2007, I discovered that with the help of SPKAC, Firefox could be used to install a TLS client certificate (more or less) silently. This certificate could then be used to track a user across different websites. This issue was fixed in Firefox 2.0.0.13. It is also present in (Mac OS X) Safari, which is why the proof of concept might still be useful. The vulnerability got covered on Heise UK and Heise Germany.

2007/08/27: Stampit Web — Denial of Service (CVE-2007-3871)

In July 2007, I accidentally discovered a design bug in Deutsche Post's internet stamping application Stampit Web, which could have lead to an easily executed DoS on their 120.000 customers. The advisory as well as the press articles (Heise UK, Heise Germany, Spiegel Online) provide more details.

2007/04/10: DropAFew — SQL injection, authorization issue (CVE-2007-1363 and -1364)

In March 2007, I discovered serveral issues (most severely a SQL injection) in DropAFew. Details in the advisory.

2007/03/20: dproxy — remotely exploitable buffer overflow (CVE-2007-1465)

I also discovered a stack buffer overflow in dproxy in March 2007. Details are available in the advisory. I also wrote a Metasploit module (dproxy.pm), but I can no longer offer it here due to crazy german laws.

2006

2006/05/02: JSBoard — Cross Site Scripting (CVE-2006-2109)

In April 2006, I discovered a XSS issue in JSBoard. Details in the advisory.

2005

2005/09/01: Adobe Reader — user tracking

In 2005, I discovered that JavaScript and PDF forms could be used to tracker the readers of a document by silently sending out HTTP requests. I set up a proof of concept website and the issue was fixed by Adobe in 7.0.5.