Security Pills - Issue 18

The State of Crypto Security, The Story Behind the Alternative Genesis Block of Bitcoin, PHP Filters Chain

Release Date: 24th October 2022 | Issue: 18 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

SponsorWould you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on appsec, mobile and smart-contracts while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!

Hey there 👋Hope you had a great weekend!I've spent my week learning how to use SQL queries to explore and visualize Ethereum blockchain data with Dune. You have probably seen dashboards built with this tool in the past! If not, don't worry, I have included some interesting articles to learn how to use it on this week's issue!Also, you may have noticed that I did not prepare a logo for this week...there's an explanation to that! I'm on vacations and forgot the PSD on my computer and I cannot remember the font family that I've been using 🌚.Enjoy this week's issue, there have been some pretty interesting hacks!

  • Articles: HTTP/3 Connection Contamination: An Upcoming Threat?, Expanding on UUIDv1 Security Issues, Untangling Azure Active Directory Principals & Access Permissions, Reverse Engineering the Apple Multipeer Connectivity Framework, In-The-Wild: It's Always a Crypto Miner!, Black Check eth_sign Phishing Analysis, Zero-Knowledge Proof in Blockchain Explained, The State of Crypto Security, Learning SQL and Ethereum Series, Querying Solana Data on Dune Analytics 101, Gas Gauge: Pressure Control, The Story Behind the Alternative Genesis Block of Bitcoin.

  • Vulnerabilities & Bug Bounties: PHP Filters Chain: What is it and How to use it, Yet Another Telerik UI Revisit, The Danger of Failing to System Role in AWS SDK Client, Enter Sandbreak: Vulnerability in Sandbox Mode Enables RC, A New Attack Surface on MS Exchange, Bunni Bug Report, $80M Available to Withdraw, Moola Market $9 Million Price Manipulation Attack

  • Resources:

    • Videos: Finding Every Domain for a Company, I Leaked My IP Address, DuneCon 2022, DEF CON 30

    • Repositories: oidc-ssrf, Web3 Security Library, whatsabi, SandboxProfiler

    • Podcasts: Security Conversations Ep.89: Charlie Miller, Darknet Diaries Ep.126: REvil, Malicious Life Ep.190: Hacking Stock Markets Pt.2

  • Tags used in this issue: #analytics, #appsec, #cloudsec, #exploiting, #reverse-engineering, #sast, #smart-contracts

HTTP/3 Connection Contamination: An Upcoming Threat? #appsecPortSwigger's James Kettle recently published a dangerous reverse-proxy behavior called first-request routing, which enables host-header attacks on back-end systems. In this post, James shows how first-request routing also enables a client-side, browser-based attack called HTTP connection contamination.

Expanding on UUIDv1 Security Issues #appsecLatest week, Daniel Thatcher published an article about abusing UUIDv1 tokens leveraged in security applications, and the overall takeaway was to only use UUIDv4 for security applications. Chaim Sanders has written a follow up article providing a more in depth look at UUIDv1 and by extension UUIDv2 tokens.

UUIDv1 Structure

UUIDv1 Structure

Untangling Azure Active Directory Principals & Access Permissions #cloudsecCarsten (@0xcsandker) has released a PowerShell script to enumerate access permissions in an Azure AD tenant and this article is a compendium of all the learnings he acquired during the process.

Semgrep: Writing Quick Rules to Verify Ideas #sastGitLab's Dominic Couture explains how to use Semgrep to write quick disposable rules to validate an idea when reviewing source code. In this case, Dominic wrote rules to identify GET routes that contain state-changing actions and have no CSRF protections, getting a real issue in Kibana.

Reverse Engineering the Apple Multipeer Connectivity Framework #reverse-engineeringSimone Margaritelli (@evilsocket) has documented his research about the reverse engineering process performed to the Multipeer Connectivity Framework. A service from Apple that supports the discovery of services provided by nearby devices and supports communicating with those services through message-based data, streaming data, and resources.

In-The-Wild: It's Always a Crypto Miner! #reverse-engineering @CPunch71 documented his process on reverse engineering a crypto miner while searching the depths of Youtube for not-so-nice software to install.

Process tree

Process tree

'Blank Check' eth_sign Phishing Analysis #smart-contractsThis article from Slow Mist details how to recognize scams involving the eth_sign signature, a technique that has become pretty active lately in different phishing campaigns.

Zero-Knowledge Proof in Blockchain Explained #smart-contracts QuillAudits has published a thorough guide explaining what ZKPs are, the differences between the different types of ZKPs and their applications in the blockchain, among other things.

In Simpler Terms, Zero-knowledge proof (ZK proof) technologies enable one party to prove to another party that they know something without actually sharing the information with another party in order to prove their knowledge.

The State of Crypto Security #smart-contractsHackers have stolen more than $2B from crypto applications this year. The problem will only get worse as the crypto ecosystem grows and attracts more malicious actors. Kofy Kufuor (@0xKofi) presents in this article a framework for categorizing crypto hacks, outlines the methods used in the most profitable hacks and review the strengths and weaknesses of the tools that are currently used to prevent hacks.

Types of hacks based on the layer of the stack

Types of hacks based on the layer of the stack

Learning SQL and Ethereum Pt. 1 | Pt. 2 | Pt. 3 #analytics #smart-contractsAndrew Hong has created a series of articles explaining how to use Dune to create crypto analytics through custom charts and dashboards using simple SQL queries.

Dashboard created in Dune

Dashboard created in Dune

Querying Solana Data on Dune Analytics 101 #analytics #smart-contractsQuerying the blockchain is an efficient method to learn how a network works and get into the weeds of what's happening on the ledger. This article aims to explore the fundamentals of the Solana on-chain data using Dune Analytics.

Gas Gauge: Pressure Control #smart-contractsOfficerCIA continues with his series of educational articles, this time talking about Gas Gauge, a tool aimed to help Solidity code auditors to detect Out-of-Gas DoS vulnerabilities in Ethereum smart contracts, empower its use with Slither and probe its value with a real case scenario.

Gas Gauge Architecture

Gas Gauge Architecture

The Story Behind the Alternative Genesis Block of Bitcoin #smart-contractsSerHack explains in this article the early source of Bitcoin and make correlations with the source code currently in use. Helping readers understand better the early details regarding the history of Bitcoin and the enigmatic figure of Satoshi Nakamoto.

PHP Filters Chain: What is it and How to use it #appsecSearching for new gadget chains to exploit deserialization vulnerabilities can be tedious. Rémi Matasse from Synacktiv has written this article that explains how to combine a recently discovered technique called PHP filters, to transform file inclusion primitives in PHP applications to remote code execution.

Yet Another Telerik UI Revisit #appsec #exploitingIn the past, popular ASP.NET web application add-on Telerik UI has become a frequent source of easy-wins for operators at Black Lantern Security. Although the use of Telerik UI library has declined in the wake of several severe vulnerabilities, it is hard to find an organization with ISS servers that does not have at least a couple applications using it. This article from Black Lantern Security explores some unusual edge cases where existing tooling failed.

The Danger of Falling to System Role in AWS SDK Client #cloudsecCloudSeec Tidbits is a blogpost series showcasing interesting bugs found by Doyensec during cloud security testing activities. Focusing on cases when the cloud infrastructure is properly configured, but the web application fails to use the services correctly.They also have developed a Terraform (IaC) laboratory to deploy a vulnerable dummy application and play around with the vulnerability presented in this article.

Enter 'Sandbreak' - Vulnerability in Sandbox Mode Enables RCE #exploitingThe Oxeye research team has found "Sandbreak", a critical remote code execution vulnerability in the popular sandbox library vm2. A threat actor who exploits this vulnerability will be able to bypass the vm2 sandbox environment and run shell commands on the machine hosting the sandbox.

A New Attack Surface on MS Exchange Pt. 4: ProxyRelay #exploitingResearch done by Orange Tsai probing that the security mitigations implemented by Microsoft to avoid the Proxy-Related attacks presented in April 2021 could be bypassed.

Bunni Bug Report #smart-contractsBunni is a new protocol that aggregates Uniswap V3 LP positions into fungible ERC20 tokens, making LP positions more easily integrated with other DeFi applications. After the protocol's announcement, Riley Holterhus looked through Bunni's code and discovered an interesting exploit that the protocol was vulnerable to. The exploit would have allowed a MEV searcher to steal all early deposits sent through the public mempool.

$80M Available to Withdraw #smart-contractsDave Montali found a vulnerability worth $80 millions affecting the DXdao governance contract after realizing how rewards were calculated internally.

Moola Market $9 Million Price Manipulation Attack #smart-contractsOn the 18th of October, 2022, Moola Market (Liquidity Protocol on the Celo Blockchain) was exploited for approximately $9 million. The attacker used price manipulation vulnerability to steal those funds. After the hack, the attacker returned 93% of the stolen funds back to Moola Governance Multi-Sig Wallet.

 🙏 Support us

Enjoy reading the Security Pills newsletter? Consider sponsoring our next edition or buying me a coffee.You can also share us with your friends and follow us on Twitter.

🎥 Videos

⌨️ Repositories

  • doyensec/oidc-ssrf — An Evil OIDC server, where the OpenID Configuration URL returns a 307 to cause SSRF.

  • immunefi-team/Web3-Security-Library — Collaborative repository that aims to contain all the information needed to start or expand your knowledge in web3 security.

  • shazow/whatsabi — Guess an ABI from an Ethereum contract address, even if it's unverified.

  • prisma/SandboxProfiler — Collect information of internet-connected sandboxes, no backend needed.

🎙️ Podcasts

  1. Security Conversations Ep. 89: Charlie Miller — Famed hacker Charlie Miller joins Ryan on the podcast to discuss a career in vulnerability research and software exploitation. Charlie talks about hacking iPhones and Macbooks at Pwn2Own, the 'No More Free Bugs' campaign, the Jeep hack that led to a recall and his current work securing Cruise's self-driving fleet. Plus, an interesting take on iOS Lockdown Mode.

  2. Darknet Diaries Ep. 126: REvil — REvil is the name of a ransomware service as well as a group of criminals inflicting ransomware onto the world. Hear how this ransomware shook the world.

  3. Malicious Life Ep. 190: Hacking Stock Markets Pt. 2 — Financial markets make good targets for criminals: after all, that's where the big money is. Surprisingly, many of these criminals are not your run-of-the-mill black hat hacker, but brokers registered with the SEC: Genuine finance industry professionals.

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.

Thanks,Sebas@0xroot | @secpillsnews