Security Pills - Issue 10

Release Date: 29 Aug 2022 | Issue: 10 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

Hey there 👋,How is it going?  Hope you had a great weekend! It has been a pretty intense week over here but had the opportunity to practice a new sport! Are you into sports? (Nope, hacking doesn't count, sorry 😀).

Hacking Solidity Smart Contracts #smart-contractsA hands-on article where the author, Reando, explores how to identify and fix an overflow/underflow vulnerability in a Solidity smart contract.  

Winds of Change #smart-contracts

Attack Surface of Extension Pages #appsecThis article is part of a series on the basics of browser extension security. If someone is going to attack a browser extension, achieving Remote Code Execution (RCE) would be the obvious thing to do. However, what we call RCE here, is usually called Cross-Site Scripting (XSS) in other contexts. Using an example extension for Chrome the author explores how to successfully attack a browser extension and achieve the greatest impact.You may also find interesting the two other articles in this series: Anatomy of a basic extension, and Impact of extension privileges.

How to Detect OAuth Access Token Theft in Azure #incident-responseStealing access tokens to gain access to a user’s account in Azure is a technique that’s been actively used by threat groups over the past few years. Lina (inversecos) has observed this technique in several engagements across the past few years from Chinese APT groups. This article details the different methods used to detect OAuth Access Token thefts.

Beosin H1 2022 Web3 Security Research #smart-contractsIn this semi-annual report, Beosin have analyzed the overall situation of blockchain security, including total loss amounts, the types of projects attacked, hacking techniques, the flow of funds and project audits. Overall, this is what happened in the first half of 2022:

Magnifier: An Experiment with Interactive Decompilation #reverse-engineeringTrail of Bits has released Magnifier, an experimental reverse engineering user interface. This article summarizes the design and conception of this tool with some practical cases to learn how to use it.

DEF CON 30 Badge Challenge WriteUp #researchPete Souba (@Kybr) has published his writeup for the DEF CON 30 badge challenge.

Reverse Engineering Solana with Binary Ninja #reverse-eengineeringOtterSec has published their open-source Binary Ninja plugin for Solana as an attempt to make easier blackbox Solana program analysis. This blog post provides some background on the Solana runtime and describe the various components of the plugin.

Vulnerability in Linux containers: Investigation and mitigation #containerizationThis article details access controls on Linux containers and how attackers could read or modify files if permissions are not configured properly. The author dives deep into how negative group permissions behave within containers by experimenting with different container images and attack vectors.

But You Told Me You Were Safe: Attacking the Mozilla Firefox Sandbox (Part 2) #exploitingLast week we shared the first part of this series where the author reviewed how Pwn2Own contestant Manfred Paul was able to compromise the Mozilla Firefox renderer process through a prototype pollution vulnerability in the 'await' implementation.This second part discuss another prototype pollution vulnerability which allowed the execution of attacker-controlled JavaScript in the privileged parent process, escaping the sandbox.

Command Injection in the GitHub Pages Build Pipeline #appsecJoren Vrancken recently discovered a command injection vulnerability affecting GitHub Pages build process. Joren was able to craft a malicious payload to achieve access to private repositories through the exploitation of this vulnerability.

Securing Developer Tools: Argument Injection in Visual Studio Code #exploitingSonar dives into a new vulnerability identified in one of the most popular IDEs: Visual Studio Code. The vulnerability identified allowed attackers to craft malicious links that, once interacted with, would trick the IDE into executing unintended commands on the victim's computer. This article is a detailed walkthrough on how the issue was identified and exploited and the patch implemented by Microsoft.This article is part of the Securing Developer Tools series, which you may also find interesting: Git Integrations and Package Managers.

Break Me Out Of Sandbox In Old Pipe (CVE-2022-22715) #exploitingBack in February, Microsoft patched the vulnerability used by K0shl to escape Adobe Reader's sandbox. The vulnerability existed for nearly 10 years. This article is a walkthrough on the root causes and exploitation of CVE-2022-22715, Windows Dirty Pipe.

Uncovering a ChromeOS Remote Memory Corruption Vulnerability #exploitingMicrosoft discovered a memory corruption vulnerability in a ChromeOS component that could be triggered remotely, allowing attackers to perform either a denial-of-service (DoS), or remote code execution (RCE).

Build Your First LLVM Obfuscator #reverse-engineeringThis article briefly presents LLVM, discuss popular obfuscation approaches and their shortcomings and go through the details of creating a LLVM-based string obfuscator.

Decoding a $830,000 Exploit #smart-contractsOn the 16th of August, 2022, a vulnerability in Stader’s NearX smart contract was exploited. A total of 165,000 $NEAR tokens were stolen, which amount to approx. $830,000. The attacker “gregoshes.near” exploited well-known Reentrancy Vulnerability in the contract’s batch_transaction function to steal the amount. This attack leads to the draining of liquidity from the NEAR liquid staking pool.

Tetsuji: Remote Code Execution on a GameBoy Color 22 Years Later #research, #exploitingMobile Adapter GB was an accessory for the GameBoy/GameBoy Color/GameBoy Advanced which let players connect their console to their internet via their mobile phone. One of the games that supported this adapter was Pokemon Crystal. This article is a thorough review on a vulnerability discovered in Pokemon Crystal and exploited through the Mobile Adapter GB, which provided the author with remote code execution on the GameBoy Color.

Truth Behind the Celer Network cBridge Cross-Chain Bridge Incident: BGP Hijacking #smart-contractsCeler Network announced few days ago that certain cBridge users were redirected to a  malicious smart contract. Later, it was discovered that attackers directly targeted Celer's underlying infrastructure, by allowing users to access a phishing website after deceiving the Internet's underlying routing protocol (BGP). This article is a post-mortem analysis conducted by SlowMist security team.

GitHub Cache Poisoning #appsecCompanies are more and more often affected by supply chain attacks. Specially when CI is involved, and companies use caching to speed up processes. For example, attackers could use a malicious tool in a test workflow to poison its cache, and later another workflow with higher privileges use the same cache, thus pivoting the original attack. The security team at Scribe conducted a research on experimental attacks on a GitHub CI pipeline and detailed their process on this article.

Paradigm CTF 2022 Write-Up #researchThe Duck has written a thorough write-up on the three challenges he solved for the Paradigm CTF using Solana and Anchor. The write-up also contains the solution for the 'Stealing Sats' and 'fun-reversing-challenge'  (an EVM reverse-engineering challenge).

🎥 Videos

• The story of TrustZone reversing — Slava Moskvin on his journey into TrustZone reverse engineering.

• LiveOverflow - Minecraft Force-OP Exploit — In this episode, LiveOverflow explains how a user got OP on his Minecraft server and analyzes the protocol vulnerability he reported back in March.

• Nahamseec - Attack Surface Management Series EP2 Shodan — Ben talks about Shodan and how you can use its search engine to identify targets that belong to an organization or specific software.

• Wireghoul - Improving your code review skills: File writing & String Escaping bugs — In this episode wireghoul look at some file write issues in combination with string escaping that result in code injection vulnerabilities.

⌨️ Repositories

• nccgroup/jwt-reauth — Burp plugin to cache authentication tokens from an "auth" URL, and then add them as headers on all requests going to a certain scope.

• WithSecureLabs/chainsaw — Rapidly search and hunt through Windows event logs.

• Markakd/DirtyCred — DirtyCred is a kernel exploitation concept that swaps unprivileged kernel credentials with privileged ones to escalate privilege. Instead of overwriting any critical data fields on kernel heap, DirtyCred abuses the heap memory reuse mechanism to get privileged access.

🎙️ Podcasts

1. Uncover: Cross-Chain Crime: The New Frontier in Crypto Laundering — Tom Robinson (Co-Founder and Chief Scientist at Elliptic) discusses with Will Thompson the latest research done by Elliptic on cross-chain bridges, the OFAC's sanctioning Tornado Cash and much more.

2. Darknet Diaries EP 122: Lisa — In this episode we hear some insider threat stories from Lisa Forte.

3. The Ransomware Files - Guest Episode: The Storm — In mid-April, there was a ransomware attack. It wasn’t against a small business. It wasn’t directed at a large company or even a large city. It was against a country: Costa Rica.

💡 Security Tips

• @0xRST — On using Trickest Inventory data set but only for specific files.

• @MarioPoneder — On security recommendations and take-aways from reviewing vulnerable Solidity smart contracts.

• @Merkle3_ — On commonly used tools by exploit researchers (smart contracts / DeFi)

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.

Thanks,Sebas@0xroot | @secpillsnews