In my personal time I hunt for vulnerabilities in open and closed source software.  Below is a list of my publicly acknowledged vulnerabilities.

CVE-2019-4094 – IBM® Db2® is vulnerable to privilege escalation via loading libraries from an untrusted path

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) binaries load shared libraries from an untrusted path potentially giving low privilege user full access to root by loading a malicious shared library.


CVE-2019-6724 – Barracuda VPN Client Privilege Escalation on Linux and macOS

The barracudavpn component of the Barracuda VPN Client prior to version 5.0.2.7 for Linux, macOS, and OpenBSD runs as a privileged process and can allow an unprivileged local attacker to load a malicious library, resulting in arbitrary code executing as root.


CVE-2019-7249 – Local Privilege Escalation in MacOS via Keybase Helper

In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible to time-to-check-time-to-use bugs and would also allow one user of the system (who didn’t have root access) to tamper with another’s installs. View the Hackerone report 471739


CVE-2018-18629 – Local Privilege Escalation on Linux via keybase-redirector

An issue was discovered in the Keybase command-line client 2.8.0.20181017144746.3efc4cbf3c for Linux. An untrusted search path vulnerability in the keybase-redirector application allows a local, unprivileged user on Linux to gain root privileges via a Trojan horse binary. View the Hackerone report 426944, write-up and PoC CVE-2018-18629.sh.


CVE-2018-15332 BIG-IP APM client for Linux and macOS vulnerability

The svpn component of the F5 BIG-IP APM client prior to version 7.1.7.2 for Linux and macOS runs as a privileged process and can allow an unprivileged user to get ownership of files owned by root on the local client host in a race condition. A malicious, local, unprivileged user may gain knowledge of sensitive information, manipulate certain data, or assume super-user privileges on the local client host.


CVE-2018-1792 – IBM MQ can allow an attacker to execute a privilege escalation attack on a local machine.

A problem within IBM MQ libraries could allow an attacker who has access to a local machine to use IBM MQ to escalate their privileges on that system and gain access to the root user.


CVE-2018-1802 – IBM® Db2® is vulnerable to privilege escalation via loading libraries from an untrusted path

Db2 binaries load shared libraries from an untrusted path, potentially giving Db2 Instance Owner root access.


CVE-2018-18555 – VyOS Multiple restricted shell escapes for operators

A sandbox escape issue was discovered in VyOS 1.1.8. It provides a restricted management shell for operator users to administer the device. By issuing various shell special characters with certain commands, an authenticated operator user can break out of the management shell and gain access to the underlying Linux shell. The user can then run arbitrary operating system commands with the privileges afforded by their account.


CVE-2018-18556 – VyOS Privilege escalation via sudo pppd

A privilege escalation issue was discovered in VyOS 1.1.8. The default configuration also allows operator users to execute the pppd binary with elevated (sudo) permissions. Certain input parameters are not properly validated. A malicious operator user can run the binary with elevated permissions and leverage its improper input validation condition to spawn an attacker-controlled shell with root privileges. View the write-up and PoC CVE-2018-18556.sh.


CVE-2018-1710 – Buffer overflow in IBM® Db2® tool db2licm

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) tool db2licm is affected by buffer overflow vulnerability that can potentially result in arbitrary code execution.


CVE-2018-5546 – BIG-IP APM client for Linux and macOS vulnerability

The svpn and policyserver components of the F5 BIG-IP APM client prior to version 7.1.7.1 for Linux and macOS runs as a privileged process and can allow an unprivileged user to get ownership of files owned by root on the local client host.


CVE-2018-2939 – Oracle DBMS arbitrary file overwrite vulnerabilities

Vulnerability in the Core RDBMS component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18.1 and 18.2. Easily exploitable vulnerability allows low privileged attacker having Local Logon privilege with logon to the infrastructure where Core RDBMS executes to compromise Core RDBMS. While the vulnerability is in Core RDBMS, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Core RDBMS accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Core RDBMS.


CVE-2018-5529 – F5 BIG-IP APM client for Linux and Mac OS X vulnerability

The svpn component of the BIG-IP APM client for Linux and Mac OS X runs as a privileged process and can allow an unprivileged user to assume super-user privileges on the local client host.


CVE-2018-1458 – Multiple untrusted search path vulnerabilities in the IBM® Db2® DAS component on Windows

Multiple untrusted search path vulnerabilities in the Db2 Administration Server (DAS) component of Db2 on Windows could allow a local user to execute arbitrary code.


CVE-2018-1487 – Privilege escalation in IBM® Db2® via loading libraries from untrusted path

Db2 loads shared libraries from an untrusted path potentially giving low privilege user full access to the DB2 instance account by loading a malicious shared library. All instance owner executables that run with elevated privileges (setuid) are affected. Root setuid executables are not affected. The implication is that if the customer has implemented their own applications which run with elevated privileges (setuid) those are affected as well, and it is up to the customer to ensure that the DB2INSTANCE environment variable is correctly set to the Db2 instance owner, and not modified by a malicious user.


CVE-2018-1488 – Buffer overflow in IBM® Db2® tool db2licm

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) is vulnerable to a buffer overflow, which could allow an authenticated local attacker to execute arbitrary code on the system as root.


CVE-2018-1449, CVE-2018-1450, CVE-2018-1451, CVE-2018-1452 – IBM® Db2® is affected by multiple file overwrite vulnerabilities

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) contains a vulnerability that could allow a local user to overwrite arbitrary files owned by the DB2 instance owner.


CVE-2018-1448 – IBM® Db2® vulnerability allows local user to overwrite Db2 files

IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1 (includes DB2 Connect Server) contains a vulnerability that could allow a local user to overwrite arbitrary files owned by the DB2 instance owner.


CVE-2017-12337– Cisco Voice Operating System-Based Products Unauthorized Access Vulnerability

A vulnerability in the upgrade mechanism of Cisco collaboration products based on the Cisco Voice Operating System software platform could allow an unauthenticated, remote attacker to gain unauthorized, elevated access to an affected device.


CVE-2017-1452 – IBM® Db2® vulnerability allows local user to overwrite Db2 files

IBM DB2 for Linux, UNIX and Windows 9.7, 10,1, 10.5, and 11.1 (includes DB2 Connect Server) could allow a local user to obtain elevated privilege and overwrite DB2 files.


CVE-2017-1438 – Privilege escalation vulnerabilities affect IBM® Db2®

IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1 (includes DB2 Connect Server) could allow a local user with DB2 instance owner privileges to obtain root access.


CVE-2017-1439, CVE-2017-1451 – Privilege escalation vulnerabilities affect IBM® Db2®

IBM DB2 for Linux, UNIX and Windows 9.7, 10,1, 10.5, and 11.1 (includes DB2 Connect Server) could allow a local user with DB2 instance owner privileges to obtain root access.