CPR Publications

Here I will keep an up-to-date list of my publications, as they were published on the research blog of Check Point Research (CPR). The list is ordered by research topics, in a chronological order, meaning that all RDP blog post parts are listed one after the other, instead of by their chronological order.

As some of the research projects were also presented in conferences (Black Hat USA, DEFCON, CCC, etc.), here is the link to the GitHub repo which contains all of the conference slides + demo videos: conference presentations.

Publications list:

• Check Point Responds to AMD Flaws (backup)
• MMap Vulnerabilities – Linux Kernel (backup)
• What The FAX?! (backup) – Conference Talk
• Reverse RDP Attack – Part I: Code Execution on RDP Clients (backup) – Conference Talk
• Reverse RDP Attack – Part II: The Hyper-V Connection (backup) – Conference Talk
• Reverse RDP Attack – Part III: The Path Not Taken (backup)
• Karta – Matching Open Sources in Binaries (backup) – Conference Talk
• Thumbs Up: Using Machine Learning to Improve IDA’s Analysis (backup)
• The NSO WhatsApp Vulnerability – This is How It Happened (backup)
• Say Cheese: Ransomware-ing a DSLR Camera (backup) – Conference Talk
• OptOut – Compiler Undefined Behavior Optimizations (backup)
• Safe-Linking – Eliminating a 20 year-old malloc() exploit primitive (backup)
• Would you like some RCE with your Guacamole? (backup)
• Don’t be silly – It’s only a lightbulb (backup) – Conference Talk
• Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints (backup) – Conference Talk
• Graphology of an Exploit – The Story of PlayBit (backup)
• Game On – Finding vulnerabilities in Valve’s “Steam Sockets” (backup)

Blog Updates

On February 2018 I started working on the vulnerability research team at Check Point. This means that my blog posts (such as Linux Kernel MMap Vulnerabilities, and Check Point Responds to AMD Flaws) are now published in our group’s research blog. Although my personal research blog won’t be updated in the near future, I can guaranty that we have some very interesting research results that are waiting to be published, and so subscribing to the group’s blog is highly recommended.

Faxploit Update:

As I promised, we had a very interesting research underway, and it is now published. We were able to remotely exploit all-in-one printers using only a phone line! By sending a malicious FAX we took over a target printer and managed to spread through the network it is connected to. Here is the link to our research.

For more updates, check out the group’s blog.

Thanks for visiting,  @Eyalitkin

ELF caves: hiding in the corner

During exploitation of ELF binaries, it is quite common that one needs to find a writable memory region: a writable “cave”. In this post I’ll present two generic techniques to find such caves, without the need to reverse engineer the target binary.

Continue reading “ELF caves: hiding in the corner”

Tales from a Bug Bounty

On the 18th of November I submitted a ticket to the Monero HackerOne Bug Bounty program. This is the ticket regarding ‘GarlicRust’, a vulnerability I publicly disclosed in my previous blog post. Unfortunately for me, Monero updated the bounty terms after my submission, and the bottom line is that I did not receive the bounty I initially expected.

Continue reading “Tales from a Bug Bounty”

CVE Publication: GarlicRust CVE 2017-17066

The GarlicRust vulnerability, a.k.a CVE 2017-17066, is a major info-leak vulnerability in C++ implementations of the I2P router. The vulnerability was found in i2pd and kovri, as part of the Monero bug bounty program.

Continue reading “CVE Publication: GarlicRust CVE 2017-17066”

Cartography – Lighting up the shadows

In the previous post I demonstrated how to bypass Microsoft’s RFG, a.k.a. “Shadow Stack”, assuming we can locate the shadow stack. In this post I’ll fill up the missing details, and will describe how to find “Shadow” memory sections in a process’s virtual address space. While the technique works both in Windows and Linux, and it will demonstrate some key differences between the two operating systems.

Continue reading “Cartography – Lighting up the shadows”

Bypassing Return Flow Guard (RFG)

At the end of 2016, while checking for updates in Microsoft’s bounty program, I saw a reference to a new defense mechanism called “Return Flow Guard” (RFG). Since at that time I just finished the work on Liberation Guard, I took the time to check if can bypass this new protection method. This post will describe my attack on Microsoft’s Return Flow Guard, an attack that achieves full bypass of the protection method.

Continue reading “Bypassing Return Flow Guard (RFG)”

MRuby VM Escape – step by step

Last post we discussed format string implementation vulnerabilities, and focused on the vulnerabilities in the (C/M)Ruby implementation. Since shopify integrated MRuby in a VM-like scenario, we will present a step-by-step exploitation of the main shown vulnerability, achieving a VM escape.

Continue reading “MRuby VM Escape – step by step”

Format Strings – Behind the Scenes

Format string vulnerabilities belong to a special family of vulnerabilities: a family of vulnerabilities that were once destructive but now days receive a decreasing amount of attention. Since most vulnerable code samples are based on poor C/C++ programming education, much like SQL Injections in SQL, most researchers believe that this vulnerability group can be completely mitigated with proper coding standards. However, this blog post will address a hidden aspect of the format string vulnerability, one that can impact quite a large number of high level programming languages.

Continue reading “Format Strings – Behind the Scenes”

Integer Exceptions

The Integer-Overflow (IOF) vulnerability family is responsible for a dominant part of C/C++ code vulnerabilities, as I shown in my previous post with a specific example. However, the Integer vulnerability class has more than IOFs in it, and this will be the topic of this post.

Continue reading “Integer Exceptions”