TippingPoint Digital Vaccine Laboratories

Aaron Portnoy

Aaron Portnoy's Image

Security Researcher


Aaron Portnoy is a researcher within TippingPoint's security research group. His responsibilities include reverse engineering, vulnerability discovery, and tool development. Aaron has discovered critical vulnerabilities affecting a wide range of enterprise vendors including: Microsoft, Adobe, RSA, Citrix, Symantec, Hewlett-Packard, IBM and others.

Additionally, Aaron has presented original research at conferences such as BlackHat US, BlackHat Japan, Microsoft's BlueHat, and Toorcon, among others. He has contributed mind share and code to OpenRCE, PaiMei, Sulley, PyMSRPC, as well as various white papers and books.

Published Advisories:
  • TPTI-08-04: Microsoft Office Jet Database Engine Column Parsing Stack Overflow Vulnerability
  • TPTI-07-21: Adobe Flash Player JPG Processing Heap Overflow Vulnerability
  • TPTI-07-18: EMC RepliStor Server Heap Overflow Vulnerability
  • TPTI-07-17: CA BrightStor Hierarchical Storage Manager SQL Injection Vulnerabilities
  • TPTI-07-16: CA BrightStor Hierarchical Storage Manager Buffer Overflow Vulnerabilities
  • TPTI-07-14: HP OpenView Multiple Product Shared Trace Service Stack Overflow Vulnerabilities
  • TPTI-07-12: Multiple Vendor Progress Server Heap Overflow Vulnerability
  • TPTI-07-08: Symantec Veritas Storage Foundation Scheduler Service Authentication Bypass Vulnerability
  • TPTI-07-05: IBM Tivoli Provisioning Manager for OS Deployment Multiple Stack Overflow Vulnerabilities
  • TPTI-07-04: LANDesk Management Suite Alert Service Stack Overflow Vulnerability
  • TPTI-06-15: Citrix Presentation Server Client ActiveX Heap Overflow Vulnerability
  • Upcoming Advisories:
  • Hewlett-Packard (313 days since report)
  • Microsoft (185 days since report)
  • Appearances:
  • Upcoming: Reverse Engineering Dynamic Languages, a Focus on Python
    2008-06-13 REcon
  • Reverse Engineering Cookbook
    2008-04-19 Toorcon Seattle
  • RPC Auditing Tools and Techniques
    2007-11-22 DeepSec In-Depth Security Conference
  • Advanced Fuzzing with Sulley
    2007-10-25 BlackHat Japan
  • Fuzzing Sucks!
    2007-09-27 Microsoft BlueHat
  • Fuzzing Sucks!
    2007-08-02 BlackHat US
  • RPC Auditing Tools and Techniques
    2007-05-12 Toorcon Seattle
  • Blog Entries
  • First Annual DeepSec Security Conference
    created 2007-11-24 (0 comments, 1344 views)
  • Sulley vs. HP OpenView
    created 2007-08-24 (2 comments, 2605 views)