Security Pills - Issue 24
Subdomain Enumeration with DNSSEC, Visual Studio Code: RCE, Specialized Zero-Knowledge Proof Failures
Release Date: 4th December 2022 | Issue: 24 | Subscribe
The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.
SponsorWould you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on appsec, mobile and smart-contracts while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!
Hey there, today's mark our six-month anniversary! 🎉Hope you all had a great weekend!This week we are sharing a devastating vulnerability that affected the Moonbeam, Astar, and Acala networks. A white-hat (pwning.eth) found an integer truncation that bypassed sanity checks when a transfer was initiated through smart contracts, which could have caused a loss from wrapped tokens for a value near to $44M, and around $150M in borrowable assets.The wallet used to deploy the Ankr protocol contract was compromised as well, causing more than $5M to be stolen. Funds were syphoned through Tornado.cash and bridged tokens moved to other chains like Ethereum and Polygon.But today's news are not all about smart contracts! We also have included a dangerous remote code execution affecting Visual Studio Code (you must really check it out) and how you could get a pre-auth RCE on pgAdmin with CodeQL in less than 20 minutes, for real!I don't won't to spoil the party, so please enjoy today's newsletter!
Articles: Building a Virtual Machine Inside ChatGPT, Subdomain Enumeration with DNSSEC, Bypassing Web Application Firewalls, Web3 Doesn't Exist, Move Fast & Break Things, Pt.2: A Sui Security Primer, Solana Introductory Security Considerations, The Cost of Resilience, Security Guide to Proxies, Need for Speed: Static Analysis Version, Analyzing Backdoors in Scam Token Contracts.
Vulnerabilities & Bug Bounties: Visual Studio Code: Remote Code Execution, HTTP Desync Attack - Mass Account Takeover at a Cryptocurrency Site, Pre-Auth RCE with CodeQL in Under 20 Minutes, Specialized Zero-Knowledge Proof Failures, Taking a Closer Look at Ankr Hack, Could Wrapped Tokens Like WETH Be (Forced) Insolvent?, 88MPH Theft of Unclaimed MPH Rewards Bugfix Review, How the Oracle Manipulation Attack Happened to Inverse Finance, Zero-Click Argent Contract Vulnerability
Videos: Mind-Blowing Examples of OpenAI ChatGPT for Security, Infosec & Hacking, A Journey Into Fuzzing WebAssembly Virtual Machine, Chris Tarbell: FBI Agent Who Took Down Silk Road, Jammer! He Just Wanted Privacy But This Little Device Caused Big Trouble
Repositories: WeFuzz Multiversity, Subzuf, teler, BOR, friTap.
Podcasts: Darknet Diaries: Gollumfun Pt.2, Malicious Life Ep.194: The Russian Business Network.
Tags used in this issue: #ai, #appsec, #blockchain, #sast, #smart-contract
Building a Virtual Machine Inside ChatGPT #aiUnless you have been living under a rock, you may have heard of this new ChatGPT assistant made by OpenAI and be aware of its capabilities. Frederic Besse managed to do something different with it by running a virtual machine inside ChatGPT.
Bypassing Web Application Firewalls #appsecFlorian Schweitzer on demystifying WAFs and how to evade an OWASP CRS rule that aims to protect against WAF bypassing techniques.
Web3 Doesn't Exist #blockchainMarcus Hutchins on Web3 and its blockchain related technologies, that were supposed to provide the foundation for a better internet.
Move Fast & Break Things, Pt.2: A Sui Security Primer #blockchainZellic provides a gentle introduction to Sui, a new Move-based blockchain, where they compare it with Aptos and highlight some important differences for developers to know, specially for secure smart contract development.
Solana Introductory Security Considerations #blockchainIn comparison to Solidity-based chains, Solana takes a different approach to the account mechanism. This different implementation of handling accounts introduces an attack vector that is unfamiliar to solidity developers. In this article, Haechi details how Solana handles and stores account state, as well as the security considerations to keep in mind when developing and auditing Solana-based programs.
The Cost of Resilience #blockchainA new mev-boost feature allows validators to maximize Ethereum’s censorship resistance by building low-MEV blocks locally while still outsourcing the building of high-MEV blocks.
Security Guide to Proxies #blockchainIn Web3, the Proxy or Proxy Delegate is a delegation patterns commonly used to introduce upgradability in smart contracts. While it can be extremely powerful, it is also commonly misunderstood, leading to incorrect implementations and security issues. This research effort compiles proxy knowledge with the goal of improving the correctness of proxy implementations and providing a useful resource for security reviews of proxy contracts.
Need for speed: Static Analysis Version #sastProgram analysis is an extremely interesting discipline that aims to combine an impossible task with practical usage. Practical usage takes many forms ranging from convenience of information and quality of findings to the speed at which the analysis is carried out. At r2c, a question remains after three years of development — what goes into making a code analysis product that can run at "ludicrous speed", and have they achieved that goal with Semgrep?
Analyzing Backdoors in Scam Token Contracts #smart-contractDue to the rapid advancement of blockchain technologies and the digital economic system, cryptocurrencies have experienced substantial growth in recent years. Only this month, approximately 23 million dollars have been lost due to exit scams and rug pulls. QuillAudits details how hackers are building scam coins to fool you into buying them and then steal your money.
Visual Studio Code: Remote Code Execution #appsecAn attacker could, through a link or website, take over the computer of a Visual Studio Code user and any computers they were connected to via the Visual Studio Code Remote Development feature. This issue affected at least GitHub Codespaces, github.dev, the web-based Visual Studio Code for Web and to a lesser extent Visual Studio Code desktop.
HTTP Desync Attack - Mass Account Takeover at a Cryptocurrency Site #appsecA HTTP Desync (Request Smuggling) vulnerability affecting one of the cryptocurrency payment system along with 121 other hosts utilizing the Distil Bot protection. Ankit Singh (@AnkitCuriosity) observed that the front end server used the Content-Length while the back end server made use of Transfer-Encoding header to determine the length of an HTTP request. This desynchronization in determining a request's length between the servers could be abused into escalating a Mass Account Takeover scenario.
Specialized Zero-Knowledge Proof Failures #blockchainOpal Wright from Trail of Bits on a cipher-text malleability bug, which could allow attackers to prove the validity of invalid inputs to a group signature, leading to invalid signatures. Any particular blockchain that relies on threshold signatures, could be affected by this issue, by allowing attackers to prevent targeted transactions from completing.
Taking a Closer Look at Ankr Hack #smart-contractOn December 02, 2022, the Ankr protocol on BNB chain suffered a governance key compromise, allowing an attacker to mint 10,000,000,000,000 $aBNBc tokens and drain the DEX pool, resulting in the loss of approximately $5 million.
Could Wrapped Tokens Like WETH Be (forced) Insolvent? #firstname.lastname@example.org did it again by reporting a bug in frontier EVM which could depeg the native wrapped tokens in Moonbeam Network and Astar Network, affecting more than $150 millions in funds in Polkadot..
88MPH Theft of Unclaimed MPH Rewards Bugfix Review #smart-contractOn September 25, 2022, 0xSzeth reported a high severity bug in 88mph’s vesting03 smart contract via Immunefi. This bug allowed some malicious users to drain the vesting contract of unclaimed MPH rewards (88mph tokens).
How the Oracle Manipulation Attack Happened to Inverse Finance #smart-contractOn June 16th, 2022, someone manipulated the oracle price on inverse finance with AAVE flashloan on Ethereum mainnet, and earned more than $1 million worth of tokens (53.24 WBTC and 99,976 USDT). This article details how to reproduce the attack on the Ethereum mainnet fork with hardhat.
Zero-Click Argent Contract Vulnerability #smart-contractBraavos found a critical vulnerability in Argent contracts deployed with version 5.0.x of the Argent-X wallet application, which allowed anyone to. gain full control on an Argent account.
🙏 Support us
Mind-Blowing Examples of OpenAI ChatGPT for Security, Infosec & Hacking— Patrick Ventuzelo from Fuzzing Labs on how the OpenAI ChatGPT AI is able to answer complex subjects such as exploitation, reversing and decompilation.
A Journey into Fuzzing WebAssembly Virtual Machine — This talk introduces what is WebAssembly, dives deeper into WebAssembly VM architecture, identifies the attack surface and explains Patrick's fuzzing strategy to target each different VM component, from module parsing to runtime execution engine.
Chris Tarbell: FBI Agent Who Took Down Silk Road — Chris Tarbell is a former FBI special agent and cybercrime investigation specialist who brought down Ross Ulbricht and Silk Road, and Hector Monsegur (aka Sabu) of LulzSec and Anonymous.
Jammer! He Just Wanted Privacy, But This Little Device Caused Big Trouble — Gary Bojczak drove a truck for a construction company that was constantly tracking his vehicle. Plugging a little dongle into the cigarette lighter could block that surveillance, but ended up causing way more problems than it solved.
WeFuzz Multiversity — A collection of all the resources useful for hackers and developers of various Blockchains to learn, develop and contribute.
elceef/subzuf — A subdomain brute-force fuzzer coupled with an immensely simple but effective DNS response-guided algorithm.
kitabise/teler — Real-time HTTP Intrusion Detection
Static-Flow/BOR — Break on Request, is a burp extension that provides a custom context menu for marking requests to be stopped by the interceptor with only one click.
fkie-cad/friTap — Tool to help researchers analyze traffic encapsulated in SSL or TLS.
Darknet Diaries Ep. 129 : Gollumfun Pt. 2 — Brett Johnson, AKA Gollumfun was involved with the websites Counterfeit Library and Shadow Crew. He tells his story of what happened there and some of the crimes he committed.
Malicious Life Ep. 194: The Russian Business Network — In 2006 the Russian Business Network pivoted its business: the once legitimate ISP became a ‘bullet-proof' hosting service, catering to the needs of cybercriminals. It quickly became the largest player in the Russian cybercrime landscape, with ~60% of all cybercrime activity related to Russia connected to it in some way.
📧 Wrapping up
If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.