Security Research

by Alexander Sotirov

Navigation

Resources

Latest posts

• Assured Exploitation 2011
• You Should Work for Symantec
• CSAW final challenge
• CSAW reversing challenge
• Darknet design

Archives

• 2011 | 2010 | 2009 | 2008

Follow

• Twitter
• Blog feed

Contact

• alex@sotirov.net
• PGP key

Meet me at

• CanSecWest

  Vancouver, Mar 9-11

• Infiltrate

  Miami Beach, Apr 16-17

Research

Projects

• Creating a rogue CA certificate

  I was a member of an international team of researchers who successfully executed a practical MD5 collision attack and were able to create a rogue CA trusted by all common browsers. This allows us to perform transparent man-in-the-middle attacks against SSL connection.

• Bypassing browser memory protections in Windows Vista

  An in-depth analysis of the exploitation mitigations in Windows Vista and multiple techniques for bypassing them using browser plugins.

• Blackbox reversing of XSS filters

  Finding security vulnerabilities in XSS filters in web applications using an iterative model generation approach.

• Heap Feng Shui in JavaScript

  A technique for precise manipulation of the browser heap using specific sequences of JavaScript allocations, allowing for the reliable exploitation of heap corruption vulnerabilities.

• TinyPE

  Creating the smallest possible PE executable.

• Third-party patches

  Using reverse engineering to create patches for critical vulnerabilities before the official vendor patches are released.

• Automatic vulnerability detection using static source code analysis

  My thesis on a technique for static source code analysis for vulnerability detection and its implementation as an extension to GCC.

• Honeynet reverse challenge

  I won fourth place in the the reverse engineering contest organized by the Honeynet Project in 2002.

Vulnerabilities

Jan 8, 2008	OpenPegasus PAM authentication buffer overflow
Jun 12, 2007	Internet Explorer URLMON class factory uninitialized memory vulnerability
May 8, 2007	Exchange calendar MODPROPS denial of service
Mar 29, 2007	Windows ANI header buffer overflow
Jan 27, 2007	Internet Explorer ActiveX bgColor property denial of service [UNPATCHED]
Dec 15, 2006	Windows CSRSS message box double free
Jan 5, 2006	Windows Metafile infinite loop vulnerability [UNPATCHED]
Feb 8, 2005	Multiple vulnerabilities in Operator Shell
Aug 8, 2002	OpenLDAP KBIND authentication buffer overflow

Exploits

Mar 26, 2004	Windows ASN.1 bitstring heap corruption
Oct 15, 2003	ProFTPd ASCII translation heap overflow
Sep 17, 2002	Apache OpenSSL heap overflow
Aug 7, 2002	OpenLDAP KBIND authentication buffer overflow
Oct 10, 2000	Solaris locale format string bug