CPR Publications

Here I will keep an up-to-date list of my publications, as they were published on the research blog of Check Point Research (CPR). The list is ordered by research topics, in a chronological order, meaning that all RDP blog post parts are listed one after the other, instead of by their chronological order.

As some of the research projects were also presented in conferences (Black Hat USA, DEFCON, CCC, etc.), here is the link to the GitHub repo which contains all of the conference slides + demo videos: conference presentations.

Publications list:

Blog Updates

On February 2018 I started working on the vulnerability research team at Check Point. This means that my blog posts (such as Linux Kernel MMap Vulnerabilities, and Check Point Responds to AMD Flaws) are now published in our group’s research blog. Although my personal research blog won’t be updated in the near future, I can guaranty that we have some very interesting research results that are waiting to be published, and so subscribing to the group’s blog is highly recommended.

Faxploit Update:

As I promised, we had a very interesting research underway, and it is now published. We were able to remotely exploit all-in-one printers using only a phone line! By sending a malicious FAX we took over a target printer and managed to spread through the network it is connected to. Here is the link to our research.

For more updates, check out the group’s blog.

Thanks for visiting,  @Eyalitkin

ELF caves: hiding in the corner

During exploitation of ELF binaries, it is quite common that one needs to find a writable memory region: a writable “cave”. In this post I’ll present two generic techniques to find such caves, without the need to reverse engineer the target binary.

Continue reading “ELF caves: hiding in the corner”

Tales from a Bug Bounty

On the 18th of November I submitted a ticket to the Monero HackerOne Bug Bounty program. This is the ticket regarding ‘GarlicRust’, a vulnerability I publicly disclosed in my previous blog post. Unfortunately for me, Monero updated the bounty terms after my submission, and the bottom line is that I did not receive the bounty I initially expected.

Continue reading “Tales from a Bug Bounty”

CVE Publication: GarlicRust CVE 2017-17066

The GarlicRust vulnerability, a.k.a CVE 2017-17066, is a major info-leak vulnerability in C++ implementations of the I2P router. The vulnerability was found in i2pd and kovri, as part of the Monero bug bounty program.

Continue reading “CVE Publication: GarlicRust CVE 2017-17066”

Cartography – Lighting up the shadows

In the previous post I demonstrated how to bypass Microsoft’s RFG, a.k.a. “Shadow Stack”, assuming we can locate the shadow stack. In this post I’ll fill up the missing details, and will describe how to find “Shadow” memory sections in a process’s virtual address space. While the technique works both in Windows and Linux, and it will demonstrate some key differences between the two operating systems.

Continue reading “Cartography – Lighting up the shadows”

Bypassing Return Flow Guard (RFG)

At the end of 2016, while checking for updates in Microsoft’s bounty program, I saw a reference to a new defense mechanism called “Return Flow Guard” (RFG). Since at that time I just finished the work on Liberation Guard, I took the time to check if can bypass this new protection method. This post will describe my attack on Microsoft’s Return Flow Guard, an attack that achieves full bypass of the protection method.

Continue reading “Bypassing Return Flow Guard (RFG)”