Security Pills - Issue 22
From Self-Hosted GitHub Runner to Self-Hosted Backdoor, You Could Have Found the Nomad Hack, Stealing Passwords from Infosec Mastodon
Release Date: 21st November 2022 | Issue: 22 | Subscribe
The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.
SponsorWould you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on appsec, mobile and smart-contracts while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!
Hey there,Hope you all had a great weekend!We are back another week bringing to your inbox the latest news. This time we have a hack in the Sheep Farm contract, an investment blockchain game that was attacked causing a loss of approximately 262 $BNB tokens worth $72,000. FTX was also "hacked", with $477 million in funds stolen, unfortunately the root cause of this heist is unknown at the time of writing this. Zellic has published the Audit Coverage Tracker tool, which tracks what code is audited and unaudited for the biggest DeFi protocols and has provided details on how this tool could have helped you identify the security issue exploited in the Nomad hack.If you are interested on learning about hacking smart contracts, it may be a good opportunity to read about the common pitfalls affecting yield aggregators and try to get some bounties in Immunefi! Check also the puzzles that Franco Victorio has prepared to learn the EVM opcodes and try to solve all the challenges, you never know when you may need to optimize gas or get some cool issue.Last but not least, Praetorian has published an interesting piece of article explaining how compromised GitHub access can be turned to pivot into an organization's internal environmentThese and more news in today's newsletter!Enjoy it!
Articles: Let's Speak AJP, ABI Compatibility in Python: How Hard Could it Be?, TornadoCash Withdrawal Analysis, Another Airdrop Scam, SBF - Mask Off, Two Thought Experiments to Evaluate Automated Stablecoins, Yield Aggregators Common Pitfalls, Formally Verifying The World's Most Popular Smart Contract, Decentralized Identity Attack Surface Pt.1, Learning Ethereum Virtual Machine Opcodes with EVM Puzzles, Hyperpom: An Apple Silicon Fuzzer for 64-bit ARM Binaries, From Self-Hosted GitHub Runner to Self-Hosted Backdoor.
Vulnerabilities & Bug Bounties: Stealing Passwords From Infosec Mastodon, SQLi and Access Flaws in Zendesk, Checkmk: Remote Code Execution by Chaining Multiple Bugs Pt.3, Infosys Leaked FullAdminAccess AWS Keys on PyPi for Over a Year, Bypass iOS Backup's TCC Protection, Pixel 6 Bootloader, UvT Incident Analysis, Analysis Review of Team Finance Exploit, Hack Analysis: Saddle Finance, Taking a Closer Look at the FTX Hack, Decoding Sheep Farm Smart Contract Hack, You Could Have Found the Nomad Hack.
Videos: Trail Of Bits Learn How to Fuzz Like a Pro, Hacking an API with Snyk, Custom Java Deserialization Exploit, HTTP/3 Connection Contamination Made Simple
Repositories: evm-dafny, hyperpom, Audit Coverage Tracker, Legitify.
Podcasts: Darknet Diaries Ep. 128: Gollumfun Pt. 1
Tags used in this issue: #appsec, #blockchain, #cloud-sec, #evm, #fuzzing, #red-team, #smart-contract
Let's Speak AJP #appsecAJP (Apache JServ Protocol) is a binary protocol developed in 1997 with the goal of improving the performance of the traditional HTTP/1.1 protocol especially when proxying HTTP traffic between a web server and a J2EE container. Mohamed Ouad studied and analyzed how this protocol works and its implementation within some popular web servers and Java containers. The research also aimed at reproducing the infamous Ghostcat (CVE-2020-1938) vulnerability discovered in Tomcat by Chaitin Tech researchers, and potential discovering other look-alike bugs
ABI Compatibility in Python: How Hard Could it Be? #appsecTrail of Bits has developed abi3audit, a new Python tool for checking Python packages for CPython application binary interface (ABI) violations. They've used it to discover hundreds of inconsistently and incorrectly tagged package distributions, each of which is a potential source of crashes and exploitable memory corruption due to undetected ABI differences.
TornadoCash Withdrawal Analysis #blockchainSlowMist has published a serie of articles detailing their MisTrack solution and how it was used to uncover some attackers who attacked a project and transferred all stolen funds to TornadoCash.
Another Airdrop Scam, but with a Twist #blockchainSlowMist details a new type of scam used by attackers where the last digits of the attacker's address are nearly identical to the last few digits of the user's address. This was used to deceive the users into accidentally copying the wrong address from the transaction history and sending the funds to the incorrect address.
SBF - Mask Off #blockchainThe drama around FTX and Alameda still goes on and Rekt News has published another piece of journalism covering the true damage from the collapse of FTX.
As always, I also would recommend you to read this twitter thread by ZachXBT debunking the three most common things related to this case in media and Twitter:
1/ I have seen a ton of misinformation being spread on Twitter and in the news about the FTX event so let me debunk the three most common things I’ve seen
“Bahamian officials are behind the FTX hack”
“Exchanges know who the hacker is”
“FTX hacker is trading meme coins”
— ZachXBT (@zachxbt)
Nov 20, 2022
Two Thought Experiments to Evaluate Automated Stablecoins #blockchainThe losses caused by the LUNA crash has led to a storm of criticism considering algorithmic stablecoins a flawed product. While there are plenty of automated stablecoin designs that are fundamentally flawed and doomed to collapse eventually, and plenty more that can survive theoretically but are highly risky, there are also many stablecoins that are highly robust in theory, and have survived extreme tests of crypto market conditions in practice.So what are some good principles for evaluating whether or not a particular automated stablecoin is a truly stable one?
Yield Aggregators Common Pitfalls: Beefy Case Study #blockchainArticle outlining the security issues encountered in yield aggregators.
Principal Yield Aggregators
Formally Verifying The World's Most Popular Smart Contract #blockchainWrapped ETH, or WETH, is one of Ethereum’s most popular smart contracts. While WETH serves a simple purpose, a significant portion of all Ethereum transactions depend on it. WETH now underpins large parts of DeFi. In this blog post, Zellic proves critical safety guarantees and invariants within the WETH contract by leveraging Z3, a battle-tested SMT solver.
Decentralized Identity Attack Surface Pt. 1 #decentralized-identityOur digital identity data are technically controlled by conglomerates that can easily erase it with a push of a button. So, what else is there?This two-part blog post discusses a new concept called Decentralized Identity (DID), which uses Nakamoto's original concepts for identity purposes. This first part cover the basics of DID by explaining how it works and taking a look at one particular implementation (The Identity Overly Network) and its security considerations.
Learning Ethereum Virtual Machine Opcodes with EVM Puzzles #evmFranco Victorio, one of the developers from Hardhat, has created a collection of EVM Puzzles. Each puzzle consists on sending a successful transaction to a contract. This article goes through each puzzle providing a solution that will help you dive deep into the EVM's internals.
Hyperpom: An Apple Silicon Fuzzer for 64-bit ARM Binaries #fuzzingImpalabs is releasing Hyperpom, a 64-bit ARM binary fuzzer written in Rust and based on the Apple Silicon's hypervisor. It is mutation-based and coverage-guided. This article gives an overview of its internals, presents the different components it consists of and how they relate to each other. Most importantly, it also gathers all the resources you need to get started and begin fuzzing your own 64-bit ARM targets.
Steps a binary goes through while being fuzzed.
From Self-Hosted GitHub Runner to Self-Hosted Backdoor #red-teamContinuous Integration and Continuous Delivery (CI/CD) systems are powerful and configurable tools within modern environments. This post will outline how compromised GitHub access can be used to pivot into an organization’s internal environment and often lead to an attacker achieving their objectives, with little to no visibility into an attacker’s actions until it is too late.
A diagram of the attack path using GitHub PATs
Stealing Passwords From Infosec Mastodon - Without Bypassing CSP #appsecThe story of how Gareth Heyes was able to steal credentials on Infosec Mastodon with a HTML injection vulnerability, without needing to bypass CSP.
HTML Injection Vulnerability exploited in Mastodon
SQLi and Access Flaws in Zendesk #appsecVaronis Threat Labs found a SQL injection vulnerability and a logical access flaw in Zendesk Explore. Before it was patched, the flaw would have allowed threat actors to access conversations, email addresses, tickets, comments, and other information from Zendesk accounts with Explore enabled.
Checkmk: Remote Code Execution by Chaining Multiple Bugs Pt. 3 #appsecThis is the third and last article in the Checkmk - Remote Code Execution by Chaining Multiple Bugs series. In this third and last article, Sonar Source completes their deep dive into the technical details of the vulnerability chain. At this point, the attacker has gained access to the NagVis component. Based on this, they outline how the attacker can escalate this access to the Checkmk GUI itself by exploiting an authenticated file read vulnerability in NagVis.
Infosys Leaked FullAdminAccess AWS Keys on PyPi for Over a Year #cloudsecThe story of how a set of leaked AWS credentials in a PyPi package exposed patient's PII for over a year.
Bypass iOS Backup's TCC Protection (CVE-2022-32929) #mobileDetails on how attackers could invoke the AppleMobileBackup utility and make a backup to a custom location, avoiding the MobilySync directory which is properly protected by TCC.
UvT Incident Analysis #smart-contractAccording to the SlowMist Intelligence, UvToken, a project on the BNB Chain, was attacked on October 27, 2022. The hackers stole more than 5,000 BNB exploiting a vulnerability in its mining pool contract.
Analysis review of Team Finance Exploit #smart-contractOn October 27, 2022, the Team Finance project was attacked, resulting in the loss of around $14.5 million in tokens
Hack Analysis: Saddle Finance #smart-contractSaddle Finance, an automated market maker (AMM) on Ethereum, was the victim of a series of transactions on April 30, 2022, that exploited deployed smart contracts. Over the course of three attack transactions, roughly $11m in crypto was taken.
Taking a Closer Look at the FTX Hack #smart-contractOn November 12, 2022, over $477 million was reportedly stolen from FTX and FTX US in a suspected black hat theft, while approximately $175 million is believed to have been moved into secure storage by FTX.
Drainer's address holding around $314 millions
Decoding Sheep Farm Smart Contract Hack #smart-contractOn November 15, 2022, the Sheep Farm project was attacked by a hacker resulting in the loss of approximately 262 $BNB tokens worth $72,000.
You Could Have Found the Nomad Hack #smart-contractIn August 2022, the Nomad token bridge was exploited for $190M. What’s interesting is that anyone could have pinpointed the vulnerable code relatively easily. That’s because the vulnerable code was unaudited.
🙏 Support us
Trail Of Bits - Learn How to Fuzz Like a Pro: Introduction to Fuzzing — Trail of Bits engineer Anish Naik guides you through Echidna, their Ethereum smart contract fuzzer. In this video, Trail of Bits will cover fuzzer setup, how to identify invariants—from simple to complex—and how to translate these invariants into code.
ConsenSys/evm-dafny — The aim of this project is to develop a functional specification of the Ethereum Virtual Machine in Dafny.
Impalabs/hyperpom — AArch64 fuzzing library based on the Apple Silicon hypervisor
Zellic/Audit Coverage Tracker — Tool built by Zellic which tracks what code is audited and unaudited for the biggest DeFi protocols.
Legit-Labs/Legitify — Detect and remediate misconfigurations and security risks across all your GitHub assets
Darknet Diaries Ep. 128: Gollumfun Pt. 1 — Brett Johnson, AKA Gollumfun was involved with the websites Counterfeit Library and Shadow Crew. He tells his story of what happened there and some of the crimes he committed.
📧 Wrapping up
If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.