Security Pills - Issue 16
BSC attack for near $566M Dollars, Comparing Semgrep and CodeQL, Spoof Tokens on Ethereum
Release Date: 10th October 2022 | Issue: 16 | Subscribe
The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.
SponsorWould you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on appsec, mobile and smart-contracts while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!
Hey there, 👋Hope you had a good weekend!Few days ago an attacker stole 2 million BNB (~$566M USD) from the Binance Bridge, however the attacker only managed to escape to other chains with just ~$127 before losing access to the rest of the funds, causing the Binance Smart Chain to be paused for near 8 hours until the situation was under control. Be sure to check out our Vulnerabilities and Bug Bounties section to discover how the attacker successfully exploited a vulnerability in the IAVL verification process and stole the funds.This and more stories available in this week's newsletter, enjoy it!
Articles: The Great SameSite Confusion, Comparing Semgrep and CodeQL, Secure Your Machine Learning with Semgrep, Introducing Campaigns to MITRE ATT&CK, 7 Warning Signs of a Cryptocurrency Exit Scam, Fuzzing Solidity Smart Contracts with Echidna, Spoof Tokens in Ethereum, How Bad Actors Can Abuse Etherscan to Trick You.
Vulnerabilities & Bug Bounties: Two Lines of JScript for $20,000, RCE via Phar Deserialization, Remote Command Execution via GitHub Import, Turning Thunderbird into a Decryption Oracle, Melting the DNS Iceberg: Taking Over Your Infrastructure Kaminsky Style, Securing Developer Tools: A New Supply Chain Attack on PHP, Hacking Trackmania Nations Forever Server, The Forgotten IPFS Vulnerabilities, BNB Bridge, How Did the BNB Chain Exploiter Pass IAVL Proof Verification?, Using Beosin Trace to Investigate the Stolen Funds from BNB Chain's Hack, RES Token $290k Flash Loan Exploit, Interim Exploit Update.
Videos: LiveOverflow: Hacker History of The Most Famous Web Vulnerability: XSS, NahamCon2022: Adrian Hetman - Are Smart Contracts Haunted?, NahamCon2022: Hakluke - Blackbox Monitoring for Timely Bug Detection.
Repositories: building-secure-contracts, nuclei-burp-plugin, spk, Ethereum-Transaction-Viewer, sealevel-attacks, reentrancy-attacks.
Podcasts: Malicious Life: Hacking Stock Markets Pt.1, Darknet Diaries Ep.125: Jeremiah
Tags used in this issue: #apt, #appsec, #sast, #exploiting, #smart-contracts
Introducing Campaigns to MITRE ATT&CK #apt'Campaigns' is the term used to describe a grouping of intrusion activity conducted over a specific period of time within common targets and objectives.In the past Matt Malone has talked about building Campaigns into ATT&CK. They are planning to release their initial collection of Campaigns on October 25, however, prior the release, they would like to take the opportunity and guide users on their vision for Campaigns, provide a tour of Campaigns elements and cover their long-term plans
Comparing Semgrep and CodeQL #sastDoyensec has compared R2c's Semgrep in a head-to-head test with GitHub's CodeQL and published the results in this article. An interesting read for those who are evaluating SAST tools.
Cross-tool Test Suite Results
Secure Your Machine Learning with Semgrep #sastTrail of Bits has published a Semgrep ruleset of 11 rules dedicated to the misuse of machine learning libraries. This article is the result of analyzing the source code of different machine learning libraries and the common problematic patterns identified, which have been turned into Semgrep rules to make it easy to find and fix potential vulnerabilities.
Semgrep ML Rules
7 Warning Signs of a Cryptocurrency Exit Scam #smart-contractsExit scams are one of the major risks of investing in a cryptocurrency project. While some crypto projects are legitimate and offer the potential for significant rewards, other are scams. The challenge is differentiating between the two. This article provides 7 warning signs that could help detect when a crypto project is a potential future exit scam.
Fuzzing Solidity Smart Contracts with Echidna #smart-contracts@officerCIA provides details on what aspects can be useful for auditing smart contracts by sharing some tips and techniques on how to fuzz smart contracts with Echidna.
Spoof Tokens on Ethereum #smart-contractsFake or ‘spoof’ ERC-20 token transfers are not a new occurrence in Ethereum. However, wider adoption of the blockchain in the last year has caused a sharp uptick in these cases. The team from Etherscan provides a more in-depth look of this technique in this article.
How Bad Actors Can Abuse Etherscan to Trick You #smart-contractsBlockchain index services rely on contract Events to help archive data and give you a record of a transaction in a nice user-interface, commonly referred to as a “Block Explorer” like Etherscan. A malicious-intent contract can behave like “normal,” but pollute these events to trick block explorers to give out misleading information on where a token originated from to unsuspecting users.
The Forgotten IPFS Vulnerabilities #appsecLast year Consensys reported a total of 8 security issues in the InterPlanetary File System (IPFS) to the Protocol Labs Security team but never published the details. This article details each one of these issues that now have been fixed.
Remote Command Execution via GitHub Import #appsecA HackerOne report affecting GitHub has been made public. In this case, the vulnerability exploited allows arbitrary redis commands to be injected when importing a GitHub repository, granting the researcher a bounty of $32,510.
Securing Developer Tools: A New Supply Chain Attack on PHP #appsecSonar discovered and responsibly disclosed a critical vulnerability in Packagist, a central component of the PHP supply chain, to help secure developer tools. This article presents the findings identified in the biggest PHP package manager, Composer, and its official package repository Packagist.
Two Lines of JScript For $20,000 #exploitingBen McBride participated this year in Pwn2Own Miami and presented an issue affecting the Iconics Genesis64 Control Server's handling of TDFX files which allowed Ben to run arbitrary JScript.NET code.
RCE via Phar Deserialisation (CVE-2022-41343) #exploitingDompdf is a popular library in PHP used for rendering PDF files from HTML. Tanto Security disclosed a vulnerability in Dompdf affecting version 2.0.0. and below. The exploitation of the vulnerability results in remote code execution subject to the following conditions: The application is deployed on a PHP version lower than 7.x and a RCE deserialization gadget must exist in any of the application's libraries.
Melting the DNS Iceberg: Taking Over Your Infrastructure Kaminsky Style #exploitingThe security team at SEC Consult found numerous ISPs and hosting providers that were vulnerable to trivial Kaminsky attacks. This could allow an attacker to manipulate the DNS name resolution of thousands of systems. As a consequence, e-mail redirections, account takeovers and even the compromise of entire systems may be possible.This article describes the core problem of the research conducted by SEC Consult and details how to find vulnerabilities in closed DNS resolvers.
Hacking TMNF: Pt.1 - Fuzzing the Game Server | Pt.2 - Exploiting a Blind Format String #exploitingA two-part series on fuzzing and exploiting the Trackmania Nations Forever server. The first part covers how the author configured a grammar fuzzer with LibAFL and Nautilus to to fuzz the game server, while the second part focuses on the exploitation of a Blind Format String in the error logger and how the author achieved remote code execution.
BNB Bridge - REKT #smart-contractsA bug in the way that the Binance Bridge verified proofs allowed attackers to forge arbitrary messages. The vulnerability was exploited into minting two lots of 1M BNB each, via falsified proofs of deposit on the legacy Binance Beacon Chain. The stolen 2M BNB amounts to ~$566M. However, the attacker managed to escape only $127M to other chains before losing access to the rest of the funds.
The researcher @samczsun has written a thorough thread explaining how the attack was conducted.
Five hours ago, an attacker stole 2 million BNB (~$566M USD) from the Binance Bridge. During that time, I've been working closely with multiple parties to triage and resolve this issue. Here's how it all went down.
— samczsun (@samczsun)
Oct 6, 2022
Using Beosin Trace to Investigate the Stolen Funds from BNB Chain's Hack #smart-contractsThis article details how the attacker behind the Binance Chain attack bridged about ~$143M USD of the stolen funds to other chains, including lending protocols and provides an overall summary on how the attack was conducted.
Funding statistics from Beosin Trace
RES Token $290K Flash Loan Exploit #smart-contractsOn the 6th of October, 2022, $RES Token (BEP20 Token at BNB Chain) suffered a flash loan attack. The Hackers used flash loans to manipulate the pool price of the token and gain profit. Around $290,000 was stolen by the hackers. This article from QuillAudits provides details on what a Flash Loan attack is and how attackers successfully exploited this vulnerability. The attack directly impacted the price of the token which fell from $0.23 to $0.0060 (~97%).
Price chart for $RES token
How Did the BNB Chain Exploiter Pass IAVL Proof Verification? #smart-contractsBeosin details in this article how the Binance Smart Chain attacker injected the payload and bypassed the verification of IAVL proof stealing ~$566M USD from the Binance Bridge.
Interim Exploit Update #smart-contractsAn attacker exploited the legacy Sovryn Lend/Borrow protocol to inappropriately withdraw funds for over $1M dollars. The attack was detected by Sovryn devs who have recovered half of the funds. This article provides a brief explanation on how the attack was performed and detected by the Sovryn developer's team.
🙏 Support us
LiveOverflow: Hacker History of The Most Famous Web Vulnerability: Cross-Site Scripting — Why is it called "XSS"? Where does it come from and who influenced this type of website vulnerability?
NahamCon2022: Adrian Hetman - Are smart contracts haunted? — Adrian Hetman (@adrianhetman) explores the most common smart contract vulnerabilities providing some real vulnerable examples in this talk.
NahamCon2022: Hakluke - Blackbox Monitoring for Timely Bug Detection — Luke Stephens (@hakluke) explores how automation has affected bug bounty programs and explores a new concept on how automation can augment manual hacking.
⌨️ Repositories / Tools
crytic/building-secure-contracts — This is a tutorial that shows how to use Echidna to automatically test smart contracts. The first part introduces how to write properties for Echidna, the second part is a set of exercises to solve.
projectdiscovery/nuclei-burp-plugin — A BurpSuite plugin intended to help with nuclei template generation.
dhn/spk — A small OSINT/Recon tool to find CIDRs that belong to a specific organization.
samczsun/Ethereum-Transaction-Viewer — An Ethereum transaction viewer which loads large txs faster , prints storage and provides more accurate metadata than ethx.info.
coral-xyz/sealevel-attacks — Examples of common exploits unique to the Solana programming model and recommended idioms for avoiding these attacks using the Anchor framework.
pcaversaccio/reentrancy-attacks — A chronological and complete list of reentrancy attacks to date.
Malicious Life: Hacking Stock Markets Pt.1 — In any trading market, at any time in history, no matter where you are, the most important thing you can possess isn’t actually money, or influence, or anything like that. Knowledge -- in particular, knowing something before everybody else -- is far more valuable. Some traders are willing to go to great lengths to get it before anyone else. In some cases, they’ll apply great ingenuity to the problem - but in others, they’ll use manipulation -- hacking into these technologies to gain an unfair advantage, and make a fortune along the way.
Darknet Diaries Ep.125: Jeremiah — Jeremiah Roe is a seasoned penetration tester. In this episode he tells us about a time when he had to break into a building to prove it wasn’t as secure as the company thought.
📧 Wrapping up
If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.