On the 18th of November I submitted a ticket to the Monero HackerOne Bug Bounty program. This is the ticket regarding ‘GarlicRust’, a vulnerability I publicly disclosed in my previous blog post. Unfortunately for me, Monero updated the bounty terms after my submission, and the bottom line is that I did not receive the bounty I initially expected.
Category: Public Disclosure
CVE Publication: GarlicRust CVE 2017-17066
The GarlicRust vulnerability, a.k.a CVE 2017-17066, is a major info-leak vulnerability in C++ implementations of the I2P router. The vulnerability was found in i2pd and kovri, as part of the Monero bug bounty program.
Continue reading “CVE Publication: GarlicRust CVE 2017-17066”
Cartography – Lighting up the shadows
In the previous post I demonstrated how to bypass Microsoft’s RFG, a.k.a. “Shadow Stack”, assuming we can locate the shadow stack. In this post I’ll fill up the missing details, and will describe how to find “Shadow” memory sections in a process’s virtual address space. While the technique works both in Windows and Linux, and it will demonstrate some key differences between the two operating systems.
MRuby VM Escape – step by step
Last post we discussed format string implementation vulnerabilities, and focused on the vulnerabilities in the (C/M)Ruby implementation. Since shopify integrated MRuby in a VM-like scenario, we will present a step-by-step exploitation of the main shown vulnerability, achieving a VM escape.
Format Strings – Behind the Scenes
Format string vulnerabilities belong to a special family of vulnerabilities: a family of vulnerabilities that were once destructive but now days receive a decreasing amount of attention. Since most vulnerable code samples are based on poor C/C++ programming education, much like SQL Injections in SQL, most researchers believe that this vulnerability group can be completely mitigated with proper coding standards. However, this blog post will address a hidden aspect of the format string vulnerability, one that can impact quite a large number of high level programming languages.
Continue reading “Format Strings – Behind the Scenes”
CVE Publication: CVE 2016-8636
After a long patching process, CVE 2016-8636 was now fixed and can be publicly disclosed. CVE 2016-8636 is caused by a classic integer-overflow vulnerability, showing that even the linux kernel suffers from this major vulnerability family.
Liberation Guard – CFG Enhancement
In my search of Bug Bounty programs, I found Microsoft’s page and started to learn about CFG – Microsoft’s CFI implementation. From this research I developed “Liberation Guard”, a security enhancement to CFG that aims to block virtual table hijacking exploits.
Python 2.7.12 mmap information leak
During the end of august I made an audit to the C modules in the popular Python library, version 2.7.12. This audit quickly produced the 1st vulnerability I found in a high-profile library, the 1st of many more that came afterwards.
CVE Publication: CVE 2016-8633
As I promised in my previous post, here is an official public disclosure of CVE 2016-8633: linux kernel firewire driver remote code execution. The official fix was merged yesterday into the linux kernel, and so I can know talk freely about it.
CVE(s) Publication: libcsp
During last August I made a security audit to an interesting embedded library I have found in Github: libcsp:
Cubesat Space Protocol – A small network-layer delivery protocol designed for Cubesats
This blog post will describe my findings, CVE 2016-8596, CVE 2016-8597, CVE 2016-8598, will publicly disclose the vulnerabilities and will elaborate on the lessons that can be learned from them.