Thankfully I had wormable RCE on my 2020 bingo card! Nice find Sagi Tzadik! Windows admins: you have one job today. Patch.

Omri Herscovici sagitz

That's why we recommed simply using the following command for the SIGRed workaround: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v "TcpReceivePacketSize" /t REG_DWORD /d 0xFF00 /f net stop DNS && net start DNS But patching is much preferred!

There are 40,000 internet-facing Windows DNS servers listening on TCP port 53, but for #SIGRed it could be much higher in case the server only listens on UDP 53. You can force the target to initiate a TCP connection to you by turning on the Truncation flag in a UDP response

Applying the workaround instead of the patch

CVE-2020-1350 DoS The hardest part of this was setting up domains!

It seems that RRSIG-Records parsing indeed leads to the vulnerable function, therefore can also be used to trigger the vulnerability

Turning ON Analytical Logs in Windows DNS could allow for the detection of the SIGRed vulnerability. Looks like the logging of the crafted SIG query is written even if the exploitation fails and the server crashes

Congrats Netanel Ben Simon for being listed on Top MSRC 2020 Q2 Security Researchers. well-deserved! Check Point Research msrc-blog.microsoft.com/2020/07/15/msr…

We're getting asked whether the registry workaround for SIGRed works on Windows Server 2003 and the answer is YES. However, if your organization still runs it there are probably multiple other ways to pwn it other than using CVE-2020-1350

[CPR-Zero] CVE-2020-6008, CVE-2020-6009 & CVE-2020-6010 (Learning Management Systems): Multiple critical vulnerabilities (SQLi + File Write) in the 3 leading WordPress LMS Plugins cpr-zero.checkpoint.com/vulns/cprid-21… cpr-zero.checkpoint.com/vulns/cprid-21… cpr-zero.checkpoint.com/vulns/cprid-21…

After 7 years at Check Point Research, I'm moving on to my next endeavor. Leading the vulnerability research team at Check Point Research was an inspiring position, and it is truly one of the best places in infosec. See you guys down the road!

A malicious picture can trigger an Instagram vulnerability potentially resulting in RCE on mobile devices. Read our full technical paper here: research.checkpoint.com/2020/instagram…

I stopped maintaining CapTipper 4 years ago since the decline of exploit kits. To my surprise, I learned the tool is still being used in DFIR toolkits and networking courses in colleges. So I found some time to fix a few bugs and port the code to Python3: github.com/omriher/CapTip…

This was basically the summary of my last paper. At least it got a sense of humor.

If the OpenAI chat color isn't orange, you're doing it wrong

ChatGPT doesn't only pass Turing's test, but would also slide into his DMs, tell him to meet them at the make-out point and then ghost him

The day the music died. #HamasisISIS

Due to a schedule conflict, I have 2 tickets for the 37C3 conference available for sale. Available in DM. #37C3