Carter Yagemann

Assistant Professor of Computer Science and Engineering at The Ohio State University, specializing in systems and software security, including vulnerability discovery, exploit prevention, fault injection, cyber-physical systems, and financial market security.

#exploit Articles

Jun 29, 2020
Security

New CVE Published (CVE-2020-14931)

CVE-2020-14931 has been assigned for a vulnerability I found in DMitry. The details are available here. This issue is currently being patched.

Jun 18, 2020
Security

Fuzzers Suck: New 0-Day Shows We Need To Do Better

Fuzz testing (more commonly known as "fuzzing") has become a predominate technique for bug hunting because it's easy to deploy and yields results. Academic security research is now flooded with papers on the topic — USENIX Security alone accepted 7 papers in the 2020 Fall submission cycle — many of which propose …

Mar 02, 2020
Security

New CVE Published (CVE-2020-9549)

CVE-2020-9549 has been assigned for a vulnerability I found in Pdfresurrect. The details are available here. This issue is currently being patched.

Aug 15, 2019
Security

New PoC Published to Exploit-DB (EDB-ID-47254)

I published a PoC for a new vulnerability in abc2mtex version 1.6.1. This was discovered while testing an analysis framework I'm developing with my peers at Georgia Tech. The vulnerability is due to an unsafe strcpy that allows an attacker to overwrite a return address and achieve arbitrary …

Dec 16, 2017
Security

How ASLR Helps Enable Exploits (CVE-2013-2028)

The other day I was playing around with CVE-2013-2028 along with my peer Hong Hu when we came across something odd: CVE-2013-2028 is only exploitable on 64-bit GNU/Linux when ASLR is enabled. After confirming this observation multiple times, we were left very surprised. How could ASLR possibly worsen the …