Security Pills - Issue 19

Release Date: 31st October 2022 | Issue: 19 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

Hey there 👋Hope you all had a great weekend!October is about to end but that does not stop attackers from targeting smart contracts and DeFi companies. This week's issue contains some interesting post-mortem articles, write-ups and research such as the extensive guide on how to optimize Solidity's smart contracts, or the resources to have a better understanding on MEV. On the appsec side there are some interesting vulnerabilities as well, like the arbitrary code execution found in the SQLite library, or the remote code execution found on the VSCode built-in support for Jupyter Notebook files.This and more stories available in this week's newsletter, enjoy it!

Sysdig TRT Uncovers Massive Cryptomining Operations Leveraging GitHub Actions #appsecThe Sysdig Threat Research Team (Sysdig TRT) recently uncovered an extensive and sophisticated active cryptomining operation in which a threat actor is using some of the largest cloud and continuous integration and deployment (CI/CD) service providers to build, run, scale, and operate their massive cloud operation

EDR: Detections, Bypasses and Other Shenanigans #blue-teamEDR, or Endpoint Detection and Response, refers to an integrated endpoint security solution that continuously monitors devices to prevent malicious actors from gaining access to the system. Along with Detection and Prevention, an EDR solution also provides features such as Threat Hunting and Forensic Analysis.This article from FourCore describes the foundations of an EDR, how it gains visibility into malicious activities and how to bypass them, so you remain undetected.

One Shell to Handle Them All #red-teamBlack Arrow explores the reuse of open handles during post exploitation activities after compromising a web application. The user account used to run a web server on Windows typically has impersonation privileges due to the software requirement, allowing the use of token handles to spawn processes running on different security contexts. The article also explores different scenarios where user token handles can be leaked in an IIS server process due to different reasons, from software design requirements to programming errors.

Towards the Next Generation of XNU Memory Safety: kalloc_type #researchApple present the first in a series of technical posts that delves into important memory safety upgrades in XNU, the kernel at the core of iPhone, iPad, and Mac. This series of posts focuses on one specific effort to improve XNU memory safety: hardening the memory allocator. This first post in the series focuses on issues having to do with temporal safety — one common class of memory bugs.

Introduction to Firmware Analysis of a Reolink IP Camera #reverse-engineeringEmbedded devices continue to increase in popularity. The emergence of these next generation technologies has driven the home automation evolution from simple light bulbs to cloud-connected printers, smart refrigerators, etc. However, these devices need to be connected to internet, increasing its attack surface.This series of articles written by @serhack_ take an in-depth look at the technical functioning of an IP camera from Reolink. Starting from higher level details, then onto the lowest level details, and then delving into the user interface, explaining how the camera was created and developed.

The 0 to 1 Guide for MEV #smart-contractsA guide to Miner/Maximal Extractable Value (MEV), the extraction of value from Ethereum users by reordering, inserting, and censoring transactions within blocks. One of Ethereum's biggest issues, with more than $689 million extracted from users of the network year-to-date.

The Optimizer's Guide To Solidity Pt. 1 | Pt. 2 | Pt. 3 #smart-contractsOne of the common pitfalls software developers fall into when transitioning from traditional programming languages to Solidity is the absence of code optimality. As each instruction executed in an EVM transaction ultimately costs gas, any optimizations applied to a codebase will lead to a tangible difference in operational cost and less friction for the end user as they will use less gas to interact with the system.This series of articles written by Omniscia, shed some light on their trail of thought when evaluating code optimizations, providing a technical depth on how seemingly innocuous segments of code can be optimized and illustrating how these optimizations ultimately lead to valuable gas and cost savings for users.

Upgradeable Smart Contracts Security #smart-contractsOne of the fundamental properties of blockchain is the impossibility of data spoofing (immutability). However, not all smart contracts have immutable code. A common practice is to use the contract logic update template with the help of a proxy. You have to be very careful when updating implementation. Otherwise, even the smallest mistake can lead to vulnerabilities, as happened with Nomad, Wormhole, and Audius, with hundreds of millions of dollars worth of damages. This research from Arseny Reutov (@theraz0r) studies the principles of the proxy template, the associated vulnerabilities, and explain how to find proxy storage collision.

Visual Studio Code Jupyter Notebook RCE #appsec #exploitingBack in August 2021, Justing Steven found a Cross-Site Scripting (XSS) vulnerability affecting VSCode built-in support for Jupyter Notebook (.ipynb) files. His analysis details the issue presenting a PoC which reads arbitrary files from disk and then leaks their contents to a remote server, however this is not a complete RCE exploit.This article from Doyensec's Luca Carettoni revisits this vulnerability achieving RCE.

TCP/IP Vulnerability PoC Restoration and Analysis #exploitingThe patch released by Microsoft last month contained a vulnerability in the TCP/IP protocol that allowed for code execution. To ascertain the impact of the vulnerability, Numen’s security research team conducted an in-depth analysis of the vulnerability and restored the PoC through patch comparison.

Stranger Strings: An Exploitable Flaw in SQLite #exploitingTrail of Bits found an arbitrary code execution affecting the SQLite library on its version 1.0.12 when the library is compiled without stack canaries. The vulnerability is exploitable when large string inputs are passed to the SQLite implementations of the printf functions and when the format string contains the %Q, %q, or %w format substitution types.

Crashing a Flipper Zero #exploitingPrelude's adversary engineers recently identified two file loader bugs in two different Flipper Zero applications. In each case, improper parsing of the file leads to heap corruption and a crash.

SiriSpy - iOS Bug Allows Apps to Eavesdrop on Your Conversations with Siri #mobileAny app with access to Bluetooth could record your conversations with Siri and audio from the iOS keyboard dictation feature when using AirPods or Beats headsets. This would happen without the app requesting microphone access permission and without the app leaving any trace that it was listening to the microphone.

Decoding $220K Read-Only Reentrancy Exploit #smart-contractsOn the 24th of October 2022, Market.xyz (lending market on QuickSwap DEX) was exploited. An exploiter took a flash loan and manipulated the spot price of the asset to borrow funds, ultimately making off with 138 ETH that were sent to Tornado.cash and 700 MATIC tokens. The attack was possible due to the use of a Curve LP oracle, which contained a vulnerability that allowed manipulating prices during the removal of liquidity.

Team Finance Rekt #smart-contractsTeam Finance, the self-proclaimed “Industry Leader In Project Security & Automation”, lost $15.8M of funds that it was supposed to be safeguarding. According to @PeckShield analysis, the issue was found in one of the Liquidity Locks contracts which allowed projects to migrate locked LP positions from Uni v2 to Uni v3:

UvToken's USD$1.5 Million Attack #smart-contractsOn October 27th, Numen Cyber Labs discovered that the UvToken project was attacked through on-chain data monitoring. The hackers stole 1,078 BNB and 1,161,991 BUSD from the attack, with the total losses adding up to approximately $1.5 Million USD. We have analyzed and tracked the incident and the flow of funds. The funds have been already transferred to Tornado.Cash.

Decoding ULME Token Flash Loan Attack #smart-contracts On October 25, 2022, ULME Token was attacked by a hacker who allegedly gained approximately 50,646 BUSD caused by a price manipulation using flash loan attacks.

Beosin's Analysis of Team Finance's $13M Exploit #smart-contractsA thorough article from Beosin EagleEye explaining the attack conducted on Team Finance, which resulted in the loss of ~$15M funds.

Analysis of the First Critical Vulnerability of Aptos Move VM #smart-contractsThe Move programming language is rising in popularity lately due to the strong advantages it has over Ethereum’s Solidity language. This article details the critical-level security vulnerability in the Virtual Machine (VM) of the Aptos public chain that was discovered by Numen's team. An issue that could cause Aptos nodes to crash provoking a denial of service.

🎥 Videos

1. Extracting and Modifying Firmware on the Defcon 30 Badge with JTAG — Matt Brown discusses in this video how to extract firmware from a RP2040 microcontroller on the Defcon 30 badge using JTAG using a JLink debugger. Matt also shows how to push a modified version of the firmware back to the device.

2. A Hipster History of CORS — CORS makes no sense when you first look at it. The only way it does is if you understand the history of how we got here; this talk will go through the history of the web and CORS and how we ended up designing something like this. If you have always been confused by CORS, you will find this talk useful.

3. NahamSec ASM Series - Autonomous System Numbers — Autonomous System Numbers (ASN) are a goldmine for offensive security. Using autonomous system numbers, you are able to extend your attack surface and find more applications that may have not been discovered through methods like certificate transparency.

4. The Dark Forest EP1, Pt. 1: Wormhole Uninitialized Proxy — On February 24th, a whitehat who goes by the pseudonym satya0x, responsibly disclosed a critical bug in the Wormhole core bridge contract on Ethereum. This bug was an upgradeable proxy implementation self-destruct bug that could have led to a potential lockup of user funds.

5. The Hitchhacker’s Guide to iPhone Lightning and JTAG Hacking — At DEF CON 30 StackSmashing talked about a project he has been working on with a couple of friends for the past few months: The Tamarin Cable! An open-source Kanzi Cable.

🎙️ Podcasts

1. Malicious Life Ep. 191 What Would Happen if CBS Got Hacked? — Media companies probably get hacked no more than other, non-media oriented organizations such as hospitals, banks, etc. But these hacks are often more visible and more memorable. How can these organizations be hacked, and why should we care about such attacks?

⌨️ Repositories/Tools

• Legit-Labs/legitify — Detect and remediate misconfigurations and security risks across all your GitHub assets.

• Dastardly — A free, lightweight web application security scanner for your CI/CD pipeline, from the makers of Burp Suite.

• contract-diff.xyz — Contract diff helps to find differences in contract forks using SimHashes.

• naddison36/sol2uml — A visualization tool for Solidity contracts featuring UML class diagram generator for Solidity contracts and contract storage layout diagrams.

• ConsenSys-Academy/Blockchain-Developer-Bootcamp — Open-source version of ConsenSys Academy's Blockchain Developer Bootcamp.

• sixTheDave/pwn_w3bridges — Workshop for "web3" bridge hacking at Hacktivity 2022.

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.

Thanks,Sebas@0xroot | @secpillsnews