- Security Pills
- Posts
- Security Pills - Issue 13
Security Pills - Issue 13
How does Tornado.cash work?, Reversing Solana with Binary Ninja, Jetty Features for Hacking Web Apps

Release Date: 19 September 2022 | Issue: 13 | Subscribe
The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

Hey there π,How is it going? Hope you had a great weekend! Looks like the Merge was successful and Ethereum Mainnet has merged with a separate proof-of-stake blockchain. Congrats to those who were involved! This week we are bringing to you some interesting articles... The ins and outs on Tornado Cash by using Zero-Knowledge Proofs (ZKPs), How gas swindlers are stealing from BNB chain users, Using unknown Jetty features to help you pentest web applications or how to analyze ZPKs smart contracts using Circomspect, this and much more in this week's newsletter!Enjoy it!

Articles: The Blind Spots of BloodHound, Jetty Features for Hacking Web Apps, The Seventh Way to Call a JavaScript Function Without Parentheses, Traces of Windows Remote Command Execution, iOS Native Code Obfuscation and Syscall Hooking, Non-Aware Proxy Apps with Wireguard, How Does Tornado.cash Work?, The Move Prover: A Practical Guide, It Pays to be Circomspect, How Scammers Are Paying Nothing for Your NFTs, Reverse Engineering Solana with Binary Ninja.
Vulnerabilities & Bug Bounties: Caching the Un-cacheables: Abusing URL Parser Confusions, Colorful Vulnerabilities, Hacking Unity Games with Malicious GameObjects Pt.2, Attacking the Android Kernel Using the Qualcomm TrustZone, Decoding Ragnarok Online Invasion $44,222 exploit, Building a PoC For the Uranium Heist, How Gas Swindlers Are Stealing From BNB Chain Users, The Risk of Secondary Markets for Depegged Collateral Tokens.
Resources:
Videos: How to Protect Your Crypto Assets From Thieves, Cairo Contract Reverse Engineering, Disassembly & Analysis with Thoth, The End of Humans in Minecraft, Smart Contract Series Ep.3 - Auditing Smart Contracts.
Repositories: CloudFox, jsoncrack.com, betterscan-ce, requests-ip-rotator, circomspect, bn-ebpf-solana.
Podcasts: Malicious Life: Hacking Multi-Factor Authentication
Tags used in this issue: #active-directory, #appsec, #exploiting, #mobile, #smart-contracts

The Blind Spots of BloodHound #active-directoryBloodHound has been nothing short of revolutionary to the way attackers think about attacking large networks, and the way defenders should think about defending their network. However, BloodHound does not paint the full picture, and this article presents some ideas on how to solve those blind spots of BloodHound.
Jetty Features for Hacking Web Apps #appsecTo properly assess the security of a web application, itβs important to analyze it with regard to the server it will run on. Many things depend on the server, from processing user requests to the easiest way of achieving RCE. In this article, Mikhail Klyuchnikov looks at Jetty, a well-known web server and Java web container typically deployed behind an Apache or NGINX proxy server and details how to find paths to all web applications on the server, achieve RCE using an XML file and how to bypass a web application firewall and remain unnoticed.

Context Path Disclosure
The Seventh Way to Call a JavaScript Function Without Parentheses #appsecGareth Heyes from PortSwigger explains how tagged template strings work. Although the technique in this article does not directly enable exploitation, it can be used to gain a greater understanding of the JavaScript language, providing a foundation for evasion of JavaScript sandboxes and WAFs.
Traces of Windows Remote Command Execution #exploitingA typical compromise starts with an attacker obtaining access to a workstation. The attacker then tries to pivot into other workstations or servers executing commands. This article aims to build a comprehensive list of techniques that are used by pentesters and attackers, explain how these techniques are implemented in different tools and list the artifacts that can be collected by DFIR analysts.
iOS Native Code Obfuscation and Syscall Hooking #mobileAfter publishing his first part on SingPass RASP Analysis, Romain analyzed another application protected with the same obfuscator but with enhanced protections. In this case the library does not leak symbols about the RASP checks nor about the obfuscator, and some functions are obfuscated with control-flow flattening and Mixed Boolean-Arithmetic (MBA) expressions.
Non-Aware Proxy Apps with Wireguard #mobileStraightforward article by Joan Bono on how to intercept non-aware proxy application's traffic on Android and iOS.
How Does Tornado.cash Work? #smart-contractsIn August. 2022, the US Treasury's Office of Foreign Assets Control (OFAC) sanctioned Tornado Cash, adding 45 Ethereum addresses to the Specially Designated Nationals (SDN) List of sanctioned persons.This document aims to help the reader understand what Tornado Cash is, how it works, and what, exactly, was sanctioned.

Zero-Knowledge Proof (ZKP) example
The Move Prover: A Practical Guide #smart-contractsThe Move Prover is an automated tool that allows developers to formally verify smart contracts written in the Move programming language. Formal verification is a powerful tool for proving the correctness of your programs. This article provides practical tips to help you use the Move Prover to its fullest potential, exploring real-world examples on how to use formal verification to secure a smart contract.
It Pays to be Circomspect #smart-contractsIn October 2019, a security researcher found a devastating vulnerability in Tornado.cash. At the time, The Tornado.cash team saved its users' funds by exploiting the vulnerability to drain the funds from the mixer before the issue was discovered by someone else, and then patching the ZKPs migrating all user funds to a new version of the contract.This vulnerability could have been caught using Circomspect, a new static analyzer for ZKPs engineered by Trail of Bits. A tool to find potential vulnerabilities in ZKPs developed using Circom, the language used for the ZKPs deployed by Tornado.cash.
How Scammers Are Paying Nothing for Your NFTs #smart-contractsSlowMist team has published a review on a recent scam where scammers created a malicious contract to deceive the victims into selling their NFTs for a price established by the scammer, so they could later buy the NFT through OpenSea for free.
Reverse Engineering Solana with Binary Ninja #smart-contractsOtterSec has published their open-source Binary Ninja plugin for Solana. This blog post provides some background on the Solana runtime and describe the various components of the plugin

Caching the Un-cacheables: Abusing URL Parser Confusions #appsec @h4r3l was able to utilize URL parser confusion in combination with reflected XSS under a GlassDoor resource by caching XSS payloads via cookie and header parameters into a stored XSS. The previous combination allowed the self-reflected XSS to be converted to a stored XSS which was cached to a local CDN for approximately 10 minutes.
Colorful Vulnerabilities #exploitingThe research team from Cyberark started to research third-party Linux kernel drivers, one of which was OpenRazer, an open-source driver for gaming devices produced by Razer. During the research they found a buffer overflow in the OpenRazer open-source kernel drivers, which caused a Denial of Service and possibly Elevation of Privileges. This article introduces how to conduct vulnerability research in kernel modules and details the security issues identified and how they encountered a newly added feature to the Linux Kernel, which was part of Fortify Source and caused some complications during the exploit development.
Hacking Unity Games with Malicious GameObjects Pt.2 #exploitingJason Kielpinski shares in this article a zero-click method of triggering UnityEvents, along with a new exploit that does not use UnityEvents and removes one of the limitations of the UnityEvent-based attack.
Attacking the Android Kernel using the Qualcomm TrustZone #mobileTamir describes in this article how he found CVE-2021-1961, a vulnerability affecting the communication protocol of Qualcomm's TrustZone (QSEE). The issue may allow attackers to corrupt memory management data in the protocol. Tamir exploited this issue and instructed the TrustZone to modify the Android kernel memory, thus achieving arbitrary read/write primitives over physical memory addresses, turning this vulnerability into a reliable exploit that works out of the box without the need to be adapted per device/version.
Decoding Ragnarok Online Invasion $44,222 Exploit #smart-contractsOn September 8th, 2022, Ragnarok Online Invasion ($ROI) was attacked. The cause of the attack was a typical access control vulnerability of ownership transfer function. Around 158 BNB (44,222.5 BUSD) were stolen by the hackers in this attack. This article provides details on how the attack was conducted.

Stolen funds still resting in the hacker's address
Building a PoC For the Uranium Heist #smart-contractsApril 28, 2021, Uranium Finance was victim of a heist which resulted in the loss of over $50 millions worth of tokens across 26 different market pairs. This article from Immunefi explores the attack that took place by identifying the root cause and then creating a proof of concept to exploit the vulnerability.
How Gas Swindlers Are Stealing From BNB Chain Users #smart-contractsThe crypto space is a true wild west of adventure and despair. Fortunes are made and lost in an instant. In the darkest corner of this digital frontier are silent predators, waiting the in the shadows for unsuspecting victims to become their next profitable feast. This article, written by Hephyrius.eth visits one of the emerging predators slowly evolving in the dark underbelly of crypto, preying on the residents of BNB Chain, the Gas Swindler.

Methodology used by the 'gas swindler'
The Risk of Secondary Markets for Depegged Collateral Tokens (Moonwell Bug Disclosure) #smart-contractsOn August 1st, 2022, the Nomad bridge for the Moonbeam chain was hacked and several bridged assets lost their peg. Lending markets on Moonbeam rely on Chainlink price feeds for their operation. However, Chainlink price oracles quote the underlying asset, and not the price of the bridged asset. In the absence of a valid price oracle for the depegged assets, Moonwell continued to rely on Chainlink, but paused further deposits and borrows of all assets in their market to mitigate further accrual of bad debt.
Two weeks later, the Risk DAO team informed about another attack vector involving the launching of a secondary market for defunct cTokens to allow users to cheaply buy cUSDC.mad collateral tokens, and consequently drain the platform from some of its non-pegged assets.This article provides a background on the vulnerability identified, how lending platform works and the secondary market attack vector and how to mitigate it.
π Support us
Enjoy reading the Security Pills newsletter? Consider sponsoring our next edition or buying me a coffee.You can also share us with your friends and follow us on Twitter.

π₯ Videos
How to Protect Your Crypto Assets From Thieves β Jack Rhysider (author of Darknet Diaries) has talked to hackers, digital bank robbers, and law enforcement to learn how crypto thieves get away with millions. The top 3 ways I'm seeing people get their crypto assets stolen are from their exchange account getting compromised, their seed phrase getting stolen, or getting phished. This video breaks down each of these techniques so you can secure yourself better.
Starknet/Cairo Contract Reverse Engineering, Disassembly & Analysis with Thoth β Patrick Ventuzelo has published a new video where he shows how to reverse, disassemble, decompile and analyze Cairo smart contracts deployed on Starknet using Thoth, our Fuzzinglabs's Cairo/Starknet bytecode analyzer, disassembler & decompiler.
The End Of Humans In Minecraft β LiveOverflow continues with his Minecraft series showing how hackers keep finding vulnerabilities in his server.
Smart Contract Series: Ep. 3 - Auditing Smart Contracts β In this episode Nahamsec continues his smart contract series by interviewing Michael from Halborn on what auditing a smart contract looks like with an example found by the folks at Halborn.
β¨οΈ Repositories
BishopFox/CloudFox β CloudFox helps you gain situational awareness in unfamiliar cloud environments. It's an open-source command line tool created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure.
AykutSarac/jsoncrack.com β Tool that generates graph diagrams from JSON objects.
marcinguy/betterscan-ce β Code Scanning/SAST/Static Analysis/Linting using many tools/Scanners with One Report (Code, IaC).
Ge0rg3/requests-ip-rotator β Python library that uses AWS API Gateway's large IP pool as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing.
trailofbits/circomspect β Circomspect is a static analyzer and linter for the Circom programming language. Circomspect currently implements a number of analysis passes which can identify potential issues in Circom circuits.
otter-sec/bn-ebpf-solana β Binary Ninja plugin for Solana eBPF.
ποΈ Podcasts
Malicious Life: Hacking Multi-Factor Authentication β Multi-Factor Authentication (MFA) is usually considered a better solution for authentication than just using passwords. But Roger Grimes, a veteran security professional, and a Data-Driven Defense Evangelist claims that the sense of security current MFA solutions provides us - is false.
π§ Wrapping up
If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.
Thanks,Sebas@0xroot | @secpillsnews