Security Pills - Issue 14
The Profanity Tool Vulnerability, Breaking Bitbucket, A Sneak Peek into Smart Contracts Reversing & Emulation
Release Date: 26 September 2022 | Issue: 14 | Subscribe
The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.
SponsorWould you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on appsec, mobile and smart-contracts while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!
Hey there 👋,How is it going? Hope you had a great weekend! Looks like we got another breach targeting the Wintermute market with a loss of $160 millions, a vulnerability in the Profanity tool used to get a vanity smart contract address could be the cause behind this attack. It seems that wallet addresses generated using the Profanity tool may be at risk of compromise, meaning tens of millions -- if not hundreds of millions -- of dollars in cryptocurrency could be stolen. Will we see another heist next week? There are some interesting articles in this week's newsletter, I won't spoil them so please enjoy it!
Articles: A Guide to DNS Takeover, Creating a Challenge for The Infosecurity Challenge 2022, SSRF Vulnerabilities and Where to Find Them, Dissecting and MITMing Duo Device Health App, Making HTTP Header Injection Critical Via Response Queue Poisoning, Analyzing Golang Executables, Challenges Brought by Blockchain Forks, What Can Be Learned From Recent BGP Hijacks Targeting Cryptocurrency Services, A Sneak Peek Into Smart Contracts Reversing and Emulation.
Vulnerabilities and Bug Bounties: How We Abused Repository Webhooks to Access internal CI Systems at Scale, Breaking Bitbucket: Pre Auth Remote Command Execution, Securing Developer Tools: OneDev Remote Code Execution, AttachMe: Critical OCI Vulnerability Allows Unauthorized Access to Customer Cloud Storage Volumes, Attacking Firecracker: AWS' microVM Monitor Written in Rust, Exploiting Web3's Hidden Attack Surface: Universal XSS on Netlify's Next.js Library, Aurora Withdrawal Logic Error Bugfix Review, The Real Cause of the Wintermute Exploit, Hackers in Arbitrum's Inbox, Our Short Analysis of the Profanity Tool Vulnerability, The Two Sides of the Private Tx Service on Binance Smart Chain.
Videos: How to Audit a Smart Contract, Smart Contract Series Ep.4: Analyzing a Smart Contract Vulnerability Worth $600,000, The Age of Universal XSS.
Repositories: estimate-sol, ldapnomnom, kubescout, metamaska, AutoHoneyPoC, SandboxSpy, qiling.
Podcasts: The Noochie Show: Ep.21 The $1.75 Million Dollar NFT Heist, Darknet Diaries: Ep.124 Synthetic Remittance.
Tags used in this issue: #appsec, #cloud-security, #exploiting, #reverse-engineering, #smart-contracts.
A Guide to DNS Takeovers: The Misunderstood Cousin of Subdomain Takeovers #appsecBack in the old days, bounty hunters made busloads of bounties by automating the detection and exploitation of subdomain takeover. They are still there but competition is fierce. However, there is a new type of vulnerability, commonly mistaken for subdomain takeovers that has been gaining traction over the past few months, DNS takeovers. This article aims to provide some insights on how a DNS takeover differs from a subdomain takeover, how to detect and exploit them and some mitigations.
Challendar: Creating a Challenge for The Infosecurity Challenge 2022 #appsecEugene Lim (spaceraccoon) has created a challenge for the CTF organized at The Infosecurity Challenge. This article details his process behind the challenge's creation. An almost-vulnerability in Radicale that Eugene managed to turn into a real vulnerable scenario for this occasion. A pretty interesting read, specially if you wonder what it takes to create a fun and exciting CTF challenge.
SSRF Vulnerabilities and Where to Find Them #appsecWhile SSRF attacks are not a new threat vector, they are often misunderstood and confused with CSRFs. This article from Luke Stephens (hakluke) details a thorough explanation on what this type of vulnerability is, the most common places where you can find it and how you can bypass SSRF protections.
Dissecting and MITMing Duo Device Health App #appsecArticle from Chaim Sanders that details how he reverse engineered the Duo Device Health application and successfully spoofed the application. As he later describes in the article, while both your browser and the policy enforcement application reside on the same host, there is a trust boundary between them. However, if no additional shared secret exists between the policy enforcement application and the policy enforcement engine to validate the user/device, then the target is likely susceptible to be MITM'd, which was the case with the Duo Service Health application.
Making HTTP Header Injection Critical Via Response Queue Poisoning #appsecHTTP header injection is often under-estimated and misclassified. This article from James Kettle details a simple technique he used to turn a header injection vulnerability into a critical and helped him to earn a good bounty. His technique applies to both request header injection on front-end servers, and response header injection on back-end servers.
Analyzing Golang Executables #reverse-engineeringThe Go programming language has gained popularity during the last few years among malware developers. This can certainly be explained by the relative simplicity of the language, and the cross-compilation ability of its compiler. This blog post provides a deep dive into Golang executables reverse engineering and presents a Python extension for JEB decompiler to ease Golang analysis.
Challenges Brought by Blockchain Forks #smart-contractsBlockchain forks can be divided into soft forks and hard forks. A hard fork involves a protocol change that invalidates the previous version of the blockchain. There are several reasons that can cause a blockchain to fork, but most forks that occur are soft ones where a previously valid block is rendered invalid. On the other hand, hard forks are completely different and are carefully planned and executed. In any case, forking a blockchain is not as easy as it may seem and involves more than just copying and making few modifications to the original code to assure its integrity. This article from SlowMist provides a brief overview on specific standard security concerns and their security countermeasures.
What Can Be Learned From Recent BGP Hijacks Targeting Cryptocurrency Services #smart-contractsOn August 17, 2022, an attacker was able to steal approximately $235,000 in cryptocurrency by employing a BGP hijack attack against the Celer Bridge, a service which allows users to convert between cryptocurrencies. In this article, the author describes this and previous infrastructure attacks against cryptocurrency services, and provides some lessons learnt for securing the BGP routing of any organization.
Similar BGP hijack attack on myetherwallet.com
A Sneak Peek into Smart Contracts Reversing and Emulation #smart-contractsIn the last years the web3 topic has become more relevant and more and more companies and start-ups have started developing solutions based on it. Consequently, there also has been an increase on the number of attacks. This blog post aims to provide an introduction at the EVM bytecode and how to reverse engineer and emulate a smart contract using Qiling.
How We Abused Repository Webhooks to Access Internal CI Systems at Scale #appsecAs CI system and processes gain more traction, organizations prefer to implement a CI/CD architecture which combines SaaS-based source control management systems with an internal self-hosted CI solution. To implement this architecture, these organizations need to allow these CI systems to receive webhook events from SaaS source control vendors. This blog post dives into the potential security pitfalls of this control and explains why it provides organizations with a false sense of security. Showing how anyone can overcome the security countermeasures implemented, access data and event execute code on internal CI systems, and how to do this at scale.
Methodology for the attack
Breaking Bitbucket: Pre Auth Remote Command Execution #appsecThe team at Assetnote identified an argument injection vulnerability which ultimately allowed them to execute arbitrary commands on Bitbucket Server and Datacenter without even being authenticated to Bitbucket. This article is a deep dive into the methodology used and how Assetnote identified this vulnerability.
Securing Developer Tools: OneDev Remote Code Execution #appsecOneDev is a self-hosted Git server that comes with a lot of development-oriented features such as CI/CD, code search, and static analysis integration. In this article, SonarSource describes the 5 vulnerabilities they found in OneDev which could be used by attackers to take over vulnerable instances.
Overview on how the vulnerabilities can be exploited
AttachMe: Critical OCI Vulnerability Allows Unauthorized Access to Customer Cloud Storage Volumes #cloud-securityWiz engineers discovered and reported a major cloud isolation vulnerability in Oracle Cloud Infrastructure (OCI) which could have allowed attackers to access and modify any other users' OCI storage volumes without authorization, thereby violating cloud isolation.
Attack flow for Attachme
Attacking Firecracker: AWS' microVM Monitor Written in Rust #exploitingThis article covers a vulnerability affecting Firecracker, an open-source micro-virtual machine monitor written in Rust and used in AWS Lambda and Fargate. The author explores the root cause of a memory corruption vulnerability and the exploit primitives, providing some reflections and takeaways learnt throughout the research process conducted.
CVE-2019-1860 Exploit Primitive
Exploiting Web3's Hidden Attack Surface: Universal XSS on Netlify's Next.js Library #smart-contractsSam Curry reported a vulnerability to Netlify affecting their Next.js 'neetlify-ipx' repository, which would allow an attacker to achieve persistent cross-site scripting and full-response server-side request forgery on any website out of the box. The vulnerability was fixed and affected many Web3 websites, including PancakeSwap, Moonpay and Gemini. This article details the vulnerabilities that were reported.
Aurora Withdrawal Logic Error Bugfix Review #smart-contractsOn June 16, an anonymous whitehat submitted a critical vulnerability to Aurora, which consisted of a withdrawal logic error. At the time of the submission, 50550.9 ETH was on the vulnerably contract. With the average price for ETH that day, the funds at risk amounted to near $63 millions.
The Real Cause of the Wintermute Exploit #smart-contractsA Wintermute wallet was attacked resulting in a loss of approximately $160 million dollars. The vulnerability exploited was the use of a vanity wallet to save on gas fees. This article contains the details on a research conducted by SlowMist team.
Our Short Analysis of the Profanity Tool Vulnerability #smart-contractsAnother article on the Wintermute attack that complements the research made by the SlowMist team. A different perspective by BlockSec team on how Wintermute's private key was compromised due to a vulnerability in the Profanity tool (used to generate its private key and the Ethereum account).
Method used by profanity to find a special Ethereum address
Hackers in Arbitrum's Inbox #smart-contractsThis article is the story of wiped storage slots and well-intentioned gas optimizations that led to a multi-million dollar vulnerability affecting any would-bee depositor attempting to bridge funds from Ethereum to Arbitrum Nitro.
The Two Sides of the Private Tx Service on Binance Smart Chain #smart-contractsThe private tx service aims to protect users' transactions without broadcasting the transactions on the chain. However, it can be abused by attackers to make the attack transactions be packed on the chain without being noticed in a fast way. This article describes a transaction on BSC where the attacker abused thee private tx service of BNB48 to hide its attack transaction (Approximately $150,000 were stolen).
The attacker ended up returning the funds
🙏 Support us
How to Audit a Smart Contract — Patrick Collins shares in this video the auditing 101 of smart contracts, and provides basic tooling for doing an audit like slither, echidna, and mythx, among others. At the end of this video, you will get familiarized with the audit process, the basics of how to conduct one, and how to interact with auditors.
Smart Contract Series: Ep.4 Analyzing A Smart Contract Vulnerability Worth $600,000 — Nahamsec continues with his smart contract series. In this episode they go through a vulnerability in Port Finance which could potentially have caused a monetary loss of $20M-$25M.
estimate-sol: Sizing Solidity Audits — CoinFabrik has released an internal tool to help security companies scope correctly smart contracts written in Solidity.
lkarlslund/ldapnomnom — Anonymously bruteforce Active Directory usernames from Domain Controllers by abusing LDAP Ping Requests (cLDAP).
ncc/Kubescout — You can now have Scout Suite scan not only your cloud environments, but your Kubernetes cluster.
dogancanbakir/metamaska — Malevolent payload classifier, which can detect different types of malicious payloads like SQL Injection, XSS, path traversal and command injection.
ZephrFish/AutoHoneyPoC — Project to investigate how easy is to poison different data feeds and whether there is integrity in parsing data and passing it to different parties.
ZephrFish/SandboxSpy — Code for profiling sandboxed and identify whether the user is in a sandbox or not based on the path and domain/username.
qilingframework/qiling — Advanced binary emulation framework which supports EVM (Ethereum Virtual Machine) among other architectures.
The Noochie Show: Ep.21 The $1.75 Million Dollar NFT Heist w Keith Schmidt — In this episode, Noochie is joined by Keith Schmidt, the victim of a 1.75 Million dollar NFT theft. They discuss the details of the theft, Keith's relentless investigation, how he recovered half of the value from the attackers, how collectors can protect themselves, and much more.
Darknet Diaries: Ep.124 Synthetic Remittance — What do you get when you combine social engineering, email, crime, finance, and the money stream flowing through big tech? Evaldas Rimašauskas comes to mind. He combined all these to make his big move. A whale of a move.
📧 Wrapping up
If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.