Security Pills - Issue 25

Release Date: 12th December 2022 | Issue: 25 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

Hey there, hope you all had a great weekend!Hope you enjoy today's articles, stay safe!

Exploring Prompt Injection Attacks #aiPrompt Injection is a new vulnerability that is affecting some AI/ML models and, certain types of language models using prompt-based learning. This post discusses what a prompt is in the machine learning context, how prompt injection abuses this characteristic, its impact as well as some recommendations and advice.

Using OpenAI Chat to Generate Phishing Campaigns #aiOpenAI chat has exploded in popularity over the last couple of weeks. Rick Osgood writes on how it could be used to generate elaborated phishing campaigns.

Abusing JSON-Based SQL to Bypass WAF #appsecTeam82 has developed a generic bypass of industry-leading web application firewalls (WAF), which involves appending JSON syntax to SQL injection payloads that a WAF is unable to parse.

Accidentally Crashing a Botnet #blockchainAkamai researchers have continued their research on KmsdBot, a cryptomining botnet. As part of this analysis, a syntax error caused the bot to stop sending commands, effectively killing the botnet.

The Hunt for the Dark Web's Biggest Kingpin Pt.1 The Shadow #blockchainThe rise and fall of AlphaBay, the largest online drug and crime bazaar in history, run by a technological mastermind who seemed untouchable — until his tech was turned against him. A six-part series describing how Alpha02 oversaw millions of dollars in online narcotic sales and how he became public enemy number one for cybercrime detectives.

Solana rBPF Vulnerability Case Study #blockchainWhen compiled smart contracts run in Solana, they are converted into eBPF bytecode, and a separate virtual machine execute them. Among the attack surface that exists in Solana, Jade from Haechi Labs, thought that the rBPF Virtual Machine was the component where 0-day vulnerabilities could exist and started a research. This article collects some of the notes gathered during the research.

Alternatives to Tornado Cash #blockchainOn August 8th, the OFAC sanctioned the popular Tornado Cash decentralized mixer. Processing over $7 billion worth of cryptoassets throughout its operation, Tornado Cash was used by criminal entities to launder over $1.54 billion of illicit cryptoassets. Within a month of the sanctions, Tornado Cash liquidity pools decreased by approximately 60%. This briefing details Elliptic's analysis into six prominent alternative Ethereum-based obfuscation protocols that have been mentioned as potentially the next Tornado Cash.

Hybrid Fuzzing: Sharpening the Spikes of Echidna #blockchainSmart contract fuzzing is an effective bug-finding technique that is largely used at Trail of Bits during audits. Tom Malcolm has been working on Hybrid Echidna during his internship, a “hybrid fuzzer” that couples Echidna, with their symbolic execution framework, improving the process of finding bugs.

The Optimizer's Guide to Solidity Pt.4: Binary Size Tricks #blockchainOmniscia has published the fourth part of their series on delving deep into the internals of the EVM and how they regularly exploit peculiar traits of the EVM to minimize the execution cost of the smart contracts it audits. You can see previous parts here: Pt. I, Pt. II, and Pt. III.

Some Ways to use ZK-SNARKs for Privacy #blockchainZK-SNARKs are a powerful cryptographic tool, and an increasingly important part of the applications that people are building both in the blockchain space and beyond. But they are complicated, both in terms of how they work, and in terms of how you can use them. This post focuses on applications of ZK-SNARKs for preserving privacy.

Intro to Smart Contract Audit Series: Phishing With tx.origin #smart-contractSlowMist thoughts on how tx.origin-based phishing attacks are used in smart contracts.

Accessing Private Data in Smart Contracts #smart-contractArticle from QuillAudits describing how it is possible to access data stored in private variables from outside the blockchain.

From Zero to Hero Part 2: From SQL Injection to RCE on Intel DCM #appsecJulien Ahrens writes on how to get remote code execution on any host running a DCM console by exploiting an authenticated SQL Injection.

RCE via SSTI on Spring Boot Error Page with Akamai WAF Bypass #appsecA writeup explaining how two researchers were able to achieve RCE through a server-side template injection using a Spring Expression Language injection on an application running Spring Boot.

Hijacking GitHub Repositories by Deleting and Restoring Them #appsecJoren Vrancken found an obscure security measure while researching GitHub repositories; the popular repository namespace retirement. This security measure was implemented by GitHub to protect popular repositories against repository hijacking. During this research, Joren was able to identify a way to bypass this security mechanism, landing a bounty of $4,000.

Address Poisoning Attack, a Continuing Threat #blockchainThe address poisoning attack on $0 USD transfers is savage in recent weeks. As of December 2, more than 340K addresses have been poisoned on the chain, totaling 99 victim addresses and more than 1.64M USD stolen. In this article, X-explore provides a comprehensive analysis of the attack landscape, traces the attackers on-chain, and provides an in-depth analysis of how the attack is implemented.

Rust, Realloc, and References #blockchainRust is safe... right? Not if your dependencies are unsafe. A deep dive into a subtle Solana SDK bug, Rust internals, and how OtterSec spotted the vulnerability.

Roast Football Suffers Attack, Funds Lost Through Exploited Reward System #smart-contractOn December 05, 2022, Roast Football was a victim of an attack, in which the exploiter repeatedly swapped $RBF and $WBNB tokens by manipulating their reward system to book a profit of approximately 12 $BNB worth $3500.

xAPIC Vulnerability on Secret Network #smart-contractOn October 3rd, SCRT Labs was notified of a vulnerability affecting the privacy of data stored on Secret Network. This disclosure was related to the recently disclosed xAPIC architectural bug, an uninitialized memory read in the CPU itself that impacted certain SGX-enabled CPUs. The researchers demonstrated the ability to access the consensus seed, from which other network seeds were derived.

Nethermind ModExp Out of Memory Consensus Issue #smart-contractOn 14 October 2022, Jason Matthyser, a security researcher at Iosiro, identified a bug within the Nethermind client that could lead to a consensus failure. The issue was reported to the Ethereum Foundation, who fixed the bug before it was released into production, ensuring that no funds were at risk.

Know About the Helio Protocol Hack #smart-contractOn December 02, 2022, the dumping of massive amount of aBNBc tokens on decentralized exchange opened the door for another exploit in which Helio Protocol was attacked and profited the attacker by approximately $15.5 million.

Novel Pipeline Vulnerability Discovered; Rust Found Vulnerable #supply-chainThe Legit Security Research Team discovered a new class of software supply chain vulnerabilities that leverages artifact poisoning and attacks the underlying software development pipelines for projects using GitHub Actions. This article covers this new technique of artifact poisoning and describes who could be vulnerable, including how the vulnerability was found in the Rust programming language.

🎥 Videos

1. How to Find a $7 Billion Dollar Exploit — Patrick covers in this video a bug that could potentially have drained $7 billion from the polygon ecosystem.

2. Can AI Create a Minecraft Hack? — LiveOverflow uses OpenAI's ChatGPT to create a minecraft hack.

3. Applied ZK Learning Group — Learning resources for someone willing to dive deep into the applied ZK space.

4. Who Stole the NSA's Top Secret Hacking Tools? — The NSA has a super secret catalog of sci-fi level cyber weapons. Then one day in 2016, someone started auctioning them off on Twitter.

⌨️ Repositories

• OpenCoreCH/smart-contract-auditing-heuristics — Repository containing heuristics that can be used when auditing smart contracts to get ideas for vulnerabilities/common pitfalls.

• crytic/Optik — Set of symbolic execution tools that assist smart-contract fuzzers.

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.

Thanks,Sebas@0xroot | @secpillsnews