Security Pills - Issue 17
Bridge Security in Blockchain, Curve LP Oracle Manipulation, Persistent PHP Payloads in PNGs
Release Date:17th October 2022 | Issue: 17 | Subscribe
The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.
Join Cobalt's Community of Freelance Pentesters Today!CSP and Bypasses — Check their latest blog post that discusses what CSP is and how attackers can bypass some directives to achieve cross-site scripting on a vulnerable target.
Hey there, 👋Hope you had a good weekend!
Articles: A Guide to Identify Authorization Vulnerabilities at Scale Using Semgrep, In GUID We Trust, Regulator: A Unique Method of Subdomain Enumeration, The Ultimate Guide to Finding Bugs with Nuclei, Userland Execution of Binaries Directly from Python, Bridge Security in Blockchain.
Vulnerabilities & Bug Bounties: postMessage Braindump, Private NPM Packages Disclosed via Timing Attacks, Persistent PHP Payloads in PNGS, On Bypassing eBPF Security Monitoring, Cold Hard Cache: Bypassing RPC Interface Security with Cache Abuse, Fully Loaded: Testing Vulnerable PyYAML Versions, How We Recovered the Stolen Funds for TransitSwap, TempleDAO's STAX Hack, Heartbreaks & Curve LP Oracles, Curve LP Oracle Manipulation: Post Mortem, QANX Bridge Wallet Disclosure Analysis.
Videos: LiveOverflow WorldGuard Bypass, Chainlink Fall 2022 Hackathon, Brucon 0x0E.
Repositories: RITM, ulexecve, guidtool, astrolock.
Podcasts: Massive Crypto Bungle, The Obsession of Extreme Privacy, Voice Scams.
Tags used in this issue: #appsec, #exploiting, #red-team, #sast, #smart-contracts
In GUID We Trust #appsecThis article by Daniel Thatcher explores the different versions of GUIDs and the security issues associated with using the wrong one. Daniel also uses an account takeover issue from a previous pentest where GUIDs were used as password reset tokens to demonstrate how things can go terribly wrong.If you are thrilled by the vulnerability exposed in this article, checkout the CTF challenge that Daniel has created at http://gooey.intrud.es
Regulator: A unique method of subdomain enumeration #appsecInteresting approach to perform subdomain enumeration by combining regular language ranking with regular language induction.
The Ultimate Guide to Finding Bugs With Nuclei #appsecA guide from Project Discovery that walks through nuclei's various features and options, especially the most powerful ones like custom templates and workflows and provides some guidance on how to use these features to find bugs in real targets.
Userland Execution of Binaries Directly from Python #red-teamDuring a pentest exercise, Vincent Berg obtained a remote shell access to some containers within a Kubernetes environment. Sooner he realized these containers had the writable filesystems mounted with the noexec option, or were all mounted with the ro (read-only) option, making difficult to further explore the compromised environments.But these container images had python installed, allowing Vincent to execute existing Python scripts and port some other tools to perform further analysis. This made him think how useful would be to execute arbitrary binaries from within Python interpreters.
A Guide to Identify Authorization Vulnerabilities at Scale Using Semgrep #sastAnshuman Bhartiya details in this article a walk-through on how to use Semgrep to identify authorization control vulnerabilities affecting a web application built with NestJS and using Guards to define individual guards to the different user personas.
Bridge Security in Blockchain #smart-contractsCross-chain bridge is a technology that allows communication between two separate blockchain networks like transferring and swapping assets, calling functions in contracts from other blockchains, and more. In other words, bridges allow users to transfer their assets from one network to another. For example, Basically, if you have bitcoin but want to spend it like Ethereum, you can do that through the bridge.
Moving assets to another chain
This article from QuillAudits discuss Non-Custodial bridges that operate in a decentralized manner, relying on smart contracts to manage the crypto locking and minting process and removing the need to trust a bridge operator.
Private npm Packages Disclosed via Timing Attacks #appsec #exploitingThe team at Aqua Nautilus have discovered that npm’s API allows threat actors to execute a timing attack that can detect whether private packages exist on the package manager. By creating a list of possible package names, threat actors can detect organizations’ scoped private packages and then masquerade public packages, tricking employees and users into downloading them. This kind of attack is linked to a broader category of supply chain attacks.
Persistent PHP Payloads in PNGS #appsec #exploitingIt is important to have good knowledge of the different techniques available to smuggle PHP payloads through image files when testing a PHP application. This article by Quentin Roland provides an overview on different known payload smuggling techniques that could be used by an attacker to achieve arbitrary PHP code execution.
On Bypassing eBPF Security Monitoring #appsec #exploitingThere are many security solutions available today that rely on the Extended Berkeley Packet Filter (eBPF) to monitor kernel functions. Nowadays, eBPF-based programs are used for DDoS mitigations, intrusion detection, container security, and general observability. This article by Lorenzo Stella, from DoyenSec, provides an overview on how they managed to bypass eBPF-based controls, along with some ideas on how red teams or malicious actors could evade these new intrusion detection mechanisms.
Cold Hard Cache: Bypassing RPC Interface Security with Cache Abuse #exploitingBen Barnea and Stiv Kupchik from Akamai found two security vulnerabilities affecting Microsoft Windows RPC services that allowed the bypass of MS-RPC security callbacks through caching.
Fully Loaded: Testing Vulnerable PyYAML Versions #sast #exploitingGrayson Hardaway from R2C has written an article describing the research conducted on testing the PyYAML API across various released versions, and how they determined that the yaml.Loader class is unsafe in all released versions. The article describes the method that was used to figure out which PyYAML APIs were vulnerable in which versions of the package.
How We Recover the Stolen Funds for TransitSwap #smart-contractsOn October 1, the BabySwap and TransitSwap contracts on BSC were attacked by a bot. Surprisingly, this bot was also vulnerable to the profanity tool vulnerability. The BlockSec team successfully exploited the vulnerability, recovering the bot's private key, and managed to reverse-engineer the bot contract withdrawing the funds to a secure account.
TempleDAO's STAX hack #smart-contractsFew days ago, the TempleDAO's STAX was hacked for approximately $2.3M worth of LP tokens. The hack was really simple, as one of the functions, migrateStake, did not perform any checks to verify the legitimacy of one of its parameters. As result, anyone could create a contract specifying an arbitrary deposit amount and address where the funds could be sent.
Heartbreaks & Curve LP oracles #smart-contractsThe team at ChainSecurity discovered a devastating oracle manipulation on Curve, targeting five major protocols. This article details how they found this manipulation and how they ended up protecting tokens worth over a hundred million dollars.
Curve LP Oracle Manipulation: Post Mortem #smart-contractsOn April 14, ChainSecurity informed Curve and affected projects about a read-only reentrancy vulnerability in some Curve pools. The value of the get_virtual_price function could be manipulated by reentering it during the removal of liquidity. Now that all the affected parties have secured their projects, ChainSecurity has published the technical details.
QANX Bridge Wallet Disclosure Analysis #smart-contractsOn the 11th of October, the QANX Bridge deployed wallet suffered an attack. The exploiter was able to drain 1,44,169,100 QANX from the QANX Bridge on Binance Smart Chain (BSC) and sold it for 3090.5 BNB on PancakeSwap which was later tunneled into Tornado Cash. This article from QANplatform provides technical details on how this attack was executed.
🙏 Support us
LiveOverflow - WorldGuard Bypass — WorldGuard lets players guard areas of land against other players and let users tweak and disable various gameplay features of Minecraft. In this video, LiveOvereflow shows how code review led to the discovery of a common mistake plugin-developers make, affecting WorldGuard.
Chainlink Fall 2022 Hackathon — Playlist containing all the videos for the last hackathon organized by Chainlink.
Brucon 0x0E Playlist — BruCON is an annual security and hacker(*) conference providing two days of an interesting atmosphere for open discussions of critical infosec issues, privacy, information technology and its cultural/technical implications on society.
Tw1sm/RITM - Roast In The Middle — Python implementation of the man-in-the-middle attack described by Charlie Clark (@exploitph) in his post, New Attack Paths? AS Requested Service Tickets, and demonstrated in his proof-of-concept, Roast in the Middle.
anvilsecure/ulexecve — ulexecve is a userland execve() implementation which helps you execute arbitrary ELF binaries on Linux from userland without the binaries ever having to touch storage. This is useful for red-teaming and anti-forensics purposes.
intruder-io/guidtool — A tool to inspect and attack version 1 GUIDs.
synacktiv/astrolock — A purposely vulnerable application in order to demonstrate PHP payload smuggling techniques for PNG files.
Smashing Security Ep. 293: Massive Crypto Bungle, and the slave scammers — A couple unexpectedly find $10.5 million in their cryptocurrency account.
The Privacy, Security, & OSINT Show: Ep. 281-The Obsession Of Extreme Privacy — Some impacts of extreme privacy and security on our mental health when we become obsessed with the little things, and tips on how to keep your own balance in check.
Malicious Life Ep.189 Vishing - Voice Scams — Authentication has come a long way since the 1980s or 90s, but when it comes to phone calls - we’re still in the Middle Ages. Vishing, or Voice Scams, are probably as old as the Telephone itself, yet it is still very easy to impersonate someone over the phone or spoof a phone call’s origin.
📧 Wrapping up
If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.