Security Pills - Issue 23

Release Date: 28th November 2022 | Issue: 23 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

Hey there, hope you all had a great weekend!A relatively quiet week after the hacks occurred last month. There are some interesting techniques and articles shared in this week's newsletter, but other than that, I hope you can enjoy this week of rest and use it to catch up on the latest in appsec and blockchain research, and hopefully... enjoy a quiet rest of the year!Enjoy it.

Burp Suite and Protobuf #appsecFederico has forked the protobuf-decoder extension available for Burp proxy fixing few issues and adding new additional features. The list of changes introduced are available on the project's GitHub repository.

Scaling Security Automation with Docker #appsecGunnar has written this article detailing how hackers are using Docker for approaching automation scaling with microservice architecture. With the use of Docker compose and hakscale, Gunnar walk us through the process of creating a recon workflow on Docker containers.

Till REcollapse #appsec0xacb explains the REcollapse technique, a work done over the last couple years which helped the author to land simple but impactful vulnerabilities in hardened targets, including zero-interaction account takeovers, bypasses for web application firewalls, and much more.

Exploiting CORS Misconfigurations #appsecHow many times have you heard that CORS issues are irrelevant? If so, I do recommend you read this article and try the CTF challenge created for the occasion.

Hosting an Ethereum CTF Challenge, The Easy Way #blockchainZellic recently sponsored CSAW 2022, and contributed to the CTF by creating a simple Ethereum smart contract challenge, which revolves around exploiting a vulnerable smart contract, where CTF players would need to interact with the smart contract, without leaking their solution or exploit to other players, a common issue when creating blockchain CTF challenges.

Security of Algorithmic Stablecoins #blockchainA security overview on the common pitfalls and security vulnerabilities that may affect stablecoins, providing a brief analysis on FRAX, RAI, DAI and AMPL.

Security Practices in Move Development Pt.2 Aptos Coin #blockchainIn the previous article of this series, BlockSec introduced how to develop a Hello World program on the Aptos network. This second part focuses on the Aptos coin (fungible token used in Aptos), including its development, management, and interaction.

So, You Want to Get Into Bug Bounties? #bug-bountiesIf you are into bug bounties, you probably know Shubs and the excellent work and contributions he has been doing in the industry for over a decade. This blog post is a summary of Shub's thoughts and recommendations on how to successfully start a career hunting bugs in bug bounty programs.

Deep Dive: Upgradeable Smart Contracts #smart-contractThis article is a deep dive into the upgrade patterns for smart contracts targeted for Ethereum Virtual Machines (EVM).

Introduction to MITRE ATT&CK #threat-intelligenceHave you ever wondered how to create a prioritized list of threat actors? Or identify what malicious tactics and techniques are most relevant? Or what security controls should be improved first? The MITRE ATT&CK Framework can help. Version 12 has just been released and this blog will help you understand what the Framework is and what’s new.

Exploiting an N-day vBulletin PHP Object Injection Vulnerability #appsecvBulletin is one of the most popular proprietary forum solutions over the internet, but is also known for some famous 0-day RCE vulnerabilities that led to significant data breaches. This article is precisely about an unknown and silently patched vulnerability that was fixed on July 2019 with the release of version 5.5.3.

Security Concerns with the e-Tugra Certificate Authority#appsecIan Carroll looked into several certificate authorities, concretely, e-Tugra. A Turkey-based certificate authority trusted by Apple, Google, Mozilla, and other clients, founding a number of alarming issues that have been detailed in this article.

A Confused Deputy Vulnerability in AWS AppSync #cloud-secNick Frichette writes about a cross- tenant vulnerability identified in Amazon Web Services (AWS) that exploits the AWS AppSync service to assume IAM roles in other AWS accounts. Attackers could use this vulnerability to pivot into a victim organization and access resources in those accounts.

Access Control Vulnerability in DeFi #smart-contractReal life exploits affecting smart contracts that were caused due to insufficient authorization controls and how these issues could have been solved by integrating Openzeppelin's access control libraries.

Decoding DFX Finance Exploit #smart-contractOn the 10th of November 2022, DFX Finance was attacked. The attacker used a flash loan to attack the DFX’s contract and gained more than $7 Million. This attack was possible because the flash function lacked reentrancy protection.

The Story of a High-Risk Vulnerability in Move Reference Safety Verify Module #smart-contractNumen Cyber Labs identified an integer overflow affecting the Aptos Move VM. This article deep dives into the issue while explaining few interesting concepts about Aptos' virtual machine.

Velas Infinite Mint Vulnerability Writeup #smart-contractOren Yomtov recaps on the Delegatecall issues found in the past by pwning.eth and how he was able to recreate a pretty similar issue in the Velas Infinite Mint smart contract, which could have destroyed Velas' $100M market cap.

Mt Pelerin Double Transaction Bugfix Review #smart-contractOn September 21, 2022, an anonymous whitehat reported a critical severity bug in Mt Pelerin’s bridge-protocol-v2 via Immunefi, which could have allowed an attacker to drain the contract of funds.

Taking Home a $20K Bounty with Oasis Platform Shutdown Vulnerability #smart-contractOr Cyngiser on how he was able to spot and exploit a vulnerability in the Oasis platform which could have led to completely shutdown the service after triggering a delegatecall to selfdestruct().

Taking a Closer Look at the Numbers Protocol Hack #smart-contractOn November 23, 2022, the Numbers Protocol ($NUM token) on the Ethereum chain was attacked, resulting in the loss of approximately $13,836.

How I Could Drain an Entire Blockchain: Post Mortem on a Bug in Godwoken Chain #smart-contractYaron Velner found a vulnerability in the Godwoken blochcina, which would have allowed him to flash loan its entire local DEX TVL without paying it back, draining the entire $7 millions TVL of the Godwoken chain.

🎥 Videos

• Learn How to Fuzz Like a Pro: Fuzzing Arithmetics — Trail of Bits engineer Anish Naik will guide you through Echidna, on this second episode of their Fuzzing series.

⌨️ Repositories

• federicodotta/protobuf-decoder — A simple Google Protobuf Decoder for Burp.

• 0xacb/recollapse — REcollapse is a helper tool for black-box regex fuzzing to bypass validations and discover normalizations in web applications.

• MetaDock — Improve the usability of blockchain explorers, including BTC.com, Etherscan, BscScan, and scans of most EVM-compatible chains.

• tintinweb/solidity-shell — An interactive Solidity shell with lightweight session recording and remote compiler support.

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.

Thanks,Sebas@0xroot | @secpillsnews