Jonathan Bar Or

Jonathan Bar Or ("JBO")

Security Researcher | Hacker | Public Speaker


About

Publications and speaking

⚔️ Offensive security publications


🛡️ Defensive security publications


🎤 Conferences and public speaking

Conference Talk
DEFCON 30 VR village Free phone got me critical vulns affecting millions of Android devices
DEFCON 31 VR village The curse of ncruses
DEFCON 31 Getting a Migraine
DEFCON 32 VR village The Sand Castle - the state of macOS sandbox escapes through the lens of Microsoft Office
DEFCON VR Groups The anatomy of UAC bypasses
DEFCON VR Groups A very Dangerous Dave
Nullcon Berlin 2023 The Achilles heel of the macOS Gatekeeper
Nullcon Online macOS security features bypasses by example
Blue Hat Israel 2022 Learning macOS Security by Finding Vulns
Blue Hat Israel 2017 Defending the Defenders - tampering EDR solutions
Th0tcon 0xC The Achilles heel of the macOS Gatekeeper
B-sides Vancouver 2024 The Sand Castle - the state of macOS sandbox escapes through the lens of Microsoft Office
The Hack Summit 2024 The Sand Castle - the state of macOS sandbox escapes through the lens of Microsoft Office
Hushcon Seattle 2024 HM Surf - Having fun with Safari and other browsers
AVAR 2022 Security mechanisms on macOS and bypassing them
Exploitcon Bellvue 2023 The curse of ncurses
Exploitcon Bellvue 2022 How getting a free phone got me vulns on millions of Android devices
SANS Windows Defender ATPs Advanced Hunting: Using Flexible Queries to Hunt Across Your Endpoints
Security Unlocked Discovering Router Vulnerabilities with Anomaly Detection
On Path Podcast My personal journey

Writeups

🍎 Apple macOS

  • Introduction to macOS - TCC
  • Introduction to macOS - App structure
  • Introduction to macOS - The Gatekeeper
  • Introduction to macOS - The sandbox
  • Introduction to macOS - SIP
  • Introduction to macOS - Mach Ports
  • Introduction to macOS - XProtect

    • 🪟 Microsoft Windows (and some DOS)

  • Introduction to anti-debugging
  • Introduction to Windows injection and hooking
  • Metasploit Shellcode analysis
  • Coding a ransomware in a minute
  • Virtual Memory and KnownDlls
  • UAC bypasses
  • Reverse-engineering Dangerous Dave
  • Binary Golf 4 - COM files
  • Hotkey-based keylogger for Windows
  • Keylogging without conditions or loops
  • The anatomy of a Bootkit
  • TPM vs. Bootkit

    • 🐧 Linux (and some binary editing)

  • Coding a Linux userland rootkit
  • Binary Golf 5 - Linux shellcoding ideas
  • Binary Golf 5 - Java class format
  • Introduction to Linux pwn - the beginning
  • Introduction to Linux pwn - overriding the return address
  • Introduction to Linux pwn - ROP chains
  • Wordle CTF challenge
  • Dictiopwn - abusing unix_chkpwd

    • 📚 Cryptography and math

  • Introduction to cryptography - terminology and first examples
  • Introduction to cryptography - basic modular arithmetics
  • Introduction to cryptography - Vigenère cipher
  • Introduction to cryptography - RSA
  • Introduction to cryptography - prime number generation
  • The relation between programming and mathematical formulae
  • Introduction to cryptography - Diffie-Hellman key exchange
  • Introduction to cryptography - Elliptic Curve Cryptography
  • Digital signatures

    • 👊 The Goonies CTF

  • ångstrom CTF 2021 - Oracle of Blair
  • ångstrom CTF 2021 - substitution
  • ångstrom CTF 2021 - I'm so random
  • UMass CTF 2021 - malware
  • Securinets CTF Quals 2021 - MiTM
  • Union CTF 2021 - Human server
  • justCTF 2020 - That's not crypto
  • CrowdStrike CTF 2021 - Module Wow
  • CrowdStrike CTF 2021 - Matrix

    • 🎭 Other publications

  • PagedOut! #5 - The art of Java class minimization
  • DigitalWhisper #152 - A very Dangerous Dave (Hebrew)
  • DigitalWhisper #154 - Getting a Migraine (Hebrew)

    • CVEs, patents and projects

    🎉 CVEs

    CVE ID Platform(s) Description
    CVE-2025-31198 Apple (macOS, iOS) Unzip utility path traversal using symlinks
    CVE-2025-31191 Apple (macOS, iOS) Sandbox escape using keychain item redefinitions
    CVE-2025-26721 Barebox (bootloader) Buffer overflow during file creation in the persistent storage
    CVE-2025-26722 Barebox (bootloader) Buffer overflow during symbolic link handling due to an integer overflow in the SquashFS filesystem
    CVE-2025-26723 Barebox (bootloader) Buffer overflow during symbolic link handling due to an integer overflow in the EXT4 filesystem
    CVE-2025-26724 Barebox (bootloader) Buffer overflow during symbolic link handling due to an integer overflow in the CramFS filesystem
    CVE-2025-26725 Barebox (bootloader) Buffer overflow during directory entry parsing in the JFFS2 filesystem
    CVE-2025-26726 U-boot (bootloader) Buffer overflow during directory table parsing in the SquashFS filesystem
    CVE-2025-26727 U-boot (bootloader) Buffer overflow during inode parsing in the SquashFS filesystem
    CVE-2025-26728 U-boot (bootloader) Buffer overflow during file reading in the SquashFS filesystem
    CVE-2025-26729 U-boot (bootloader) Buffer overflow during symbolic link handling due to an integer overflow in the EroFS filesystem
    CVE-2025-0677 GRUB2 (bootloader) Buffer overflow during symbolic link handling due to an integer overflow in the UFS filesystem
    CVE-2025-0678 GRUB2 (bootloader) Buffer overflow during file reads due to an integer overflow in the SquashFS filesystem
    CVE-2025-0684 GRUB2 (bootloader) Buffer overflow during symbolic link handling due to an integer overflow in the ReiserFS filesystem
    CVE-2025-0685 GRUB2 (bootloader) Buffer overflow during symbolic link handling due to an integer overflow in the JFS filesystem
    CVE-2025-0686 GRUB2 (bootloader) Buffer overflow during symbolic link handling due to an integer overflow in the RomFS filesystem
    CVE-2025-0689 GRUB2 (bootloader) Buffer overflow during block reads due to an out-of-bounds operation in the UDF filesystem
    CVE-2025-0690 GRUB2 (bootloader) Buffer overflow due to an unsafe signed integer overflow in the read builtin command
    CVE-2025-0118 GRUB2 (bootloader) Arbitrary memory read due to a misconfiguration of the dump command in Secure Boot environments
    CVE-2025-1125 GRUB2 (bootloader) Buffer overflow during file opens due to an integer overflow in the HFS filesystem
    CVE-2024-56738 GRUB2 (bootloader) Cryptographic side channel attack
    CVE-2024-56737 GRUB2 (bootloader) Buffer overflow in filesystem mounting due to wild strcpy in the HFS filesystem
    CVE-2024-44243 Apple (macOS, iOS) storagekitd-based SIP bypass
    CVE-2024-44133 Apple (macOS, iOS) Browser-based TCC bypass
    CVE-2023-32369 Apple (macOS, iOS) migrationd-based SIP bypass
    CVE-2023-29491 ncurses (library) Multiple memory corruption vulnerabilities in the ncurses library
    CVE-2022-4499 TP-Link routers Cryptographic side-channel attack in httpd authentication method
    CVE-2022-4498 TP-Link routers Buffer overflow in httpd
    CVE-2022-42821 Apple (macOS, iOS) AppleDouble-based Gatekeeper bypass
    CVE-2022-29800 Linux networkd-dispatcher race condition (TOCTOU)
    CVE-2022-29799 Linux networkd-dispatcher directory traversal
    CVE-2022-26706 Apple (macOS, iOS) launchd stdin-based sandbox escape
    CVE-2022-2587 ChromeOS d-bus-based remote memory corruption vulnerability
    CVE-2022-0987 Linux Packagekit information disclosure disclosure vulnerability
    CVE-2021-42601 mce (Android SDK) mce SDK vulnerability
    CVE-2021-42600 mce (Android SDK) mce SDK vulnerability
    CVE-2021-42599 mce (Android SDK) mce SDK vulnerability
    CVE-2021-42598 mce (Android SDK) mce SDK vulnerability
    CVE-2021-35247 SolarWinds Serv-U (Windows) SolarWinds Serv-U LDAP injection vulnerability
    CVE-2021-30970 Apple (macOS, iOS) Injection-based TCC bypass
    CVE-2021-30892 Apple (macOS, iOS) system_installd-based SIP bypass
    CVE-2020-35785 Netgear routers NETGEAR DGN2200v1 authentication bypass
    CVE-2017-0095 Hyper-V (Microsoft) Hyper-V vSMB remote code execution

    💡 Patents

    Patent ID Description
    Patent 408978-US-NP Dysfunctional device detection tool
    Patent 410415-US-NP Command classification using active learning
    Patent 412482-US-NP Detecting a spoofed entity based on complexity of a distribution of events initiated by the spoofed entity

    🚧 Other projects

    Project Description
    Cicada Tools A Cicada 3301 research utility
    Hotkeyz Windows based keylogging capability using hotkeys
    HM-surf evaluator An evaluator for CVE-2024-44133 for all common macOS browsers
    Miniclass-exec Minimization of Java bytecode to execute a certain commandlin
    Dangerous Dave level editor A level editor for the 1990 Dangerous Dave DOS game
    Prog2Math Translates programming concepts to LaTeX formulae
    Dictiopwn Local dictionary attack on Linux