Blog Updates

On February 2018 I started working on the vulnerability research team at Check Point. This means that my blog posts (such as Linux Kernel MMap Vulnerabilities, and Check Point Responds to AMD Flaws) are now published in our group’s research blog. Although my personal research blog won’t be updated in the near future, I can guaranty that we have some very interesting research results that are waiting to be published, and so subscribing to the group’s blog is highly recommended.

Thanks for visiting,  @Eyalitkin


ELF caves: hiding in the corner

During exploitation of ELF binaries, it is quite common that one needs to find a writable memory region: a writable “cave”. In this post I’ll present two generic techniques to find such caves, without the need to reverse engineer the target binary.

Continue reading “ELF caves: hiding in the corner”

Tales from a Bug Bounty

On the 18th of November I submitted a ticket to the Monero HackerOne Bug Bounty program. This is the ticket regarding ‘GarlicRust’, a vulnerability I publicly disclosed in my previous blog post. Unfortunately for me, Monero updated the bounty terms after my submission, and the bottom line is that I did not receive the bounty I initially expected.

Continue reading “Tales from a Bug Bounty”

CVE Publication: GarlicRust CVE 2017-17066

The GarlicRust vulnerability, a.k.a CVE 2017-17066, is a major info-leak vulnerability in C++ implementations of the I2P router. The vulnerability was found in i2pd and kovri, as part of the Monero bug bounty program.

Continue reading “CVE Publication: GarlicRust CVE 2017-17066”

Cartography – Lighting up the shadows

In the previous post I demonstrated how to bypass Microsoft’s RFG, a.k.a. “Shadow Stack”, assuming we can locate the shadow stack. In this post I’ll fill up the missing details, and will describe how to find “Shadow” memory sections in a process’s virtual address space. While the technique works both in Windows and Linux, and it will demonstrate some key differences between the two operating systems.

Continue reading “Cartography – Lighting up the shadows”

Bypassing Return Flow Guard (RFG)

At the end of 2016, while checking for updates in Microsoft’s bounty program, I saw a reference to a new defense mechanism called “Return Flow Guard” (RFG). Since at that time I just finished the work on Liberation Guard, I took the time to check if can bypass this new protection method. This post will describe my attack on Microsoft’s Return Flow Guard, an attack that achieves full bypass of the protection method.

Continue reading “Bypassing Return Flow Guard (RFG)”

MRuby VM Escape – step by step

Last post we discussed format string implementation vulnerabilities, and focused on the vulnerabilities in the (C/M)Ruby implementation. Since shopify integrated MRuby in a VM-like scenario, we will present a step-by-step exploitation of the main shown vulnerability, achieving a VM escape.

Continue reading “MRuby VM Escape – step by step”