Security Pills - Issue 27

Release Date: 26th December 2022 | Issue: 27 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

Hey there 👋,Hope you all had a great weekend!Enjoy today's issue!

Abusing HTTP hop-by-hop request headers #appsecIn this writeup, Nathan Davison covers different techniques which can be used to influence web systems and applications in unexpected ways, by abusing HTTP/1.1 hop-by-hop headers. Systems affected by these techniques are likely ones with multiple caches/proxies handling requests before reaching the backend application.

Reversing the EVM: Raw Calldata #blockchainYou may have wondered how to decipher and read evm calldata, then attempted to read the transaction calldata of an Ethereum smart contract, only to become confused at a certain point. The EVM (and other L1 forks) encode and decode calldata in a specific way for static and dynamic types, which can be initially confusing. This article delves into the encoding sequence of calldata so that you can comprehend any verified or unverified smart contract transactions and understand the bytes.

Intercept Pending Transactions with Rust #blockchainTransactions on blockchain are not instant. They are pending until they are confirmed by the network. This is a security feature of the blockchain. Therefore it is important to wait for the transaction to be confirmed before sending another transaction. In this article, Lorenzo Zaccagnini explains how to intercept pending transactions with rust.

EVM Deep Dives: The Path to Shadowy Super Coder #evmSerie of articles that dives deep into the EVM:- Digging deep into the EVM mechanics during contract function calls- Contract's memory and how it works under the EVM hood- Demystifying Storage Slot Packing- Storage Opcodes in the Geth Client- The Power of Delegate Call- Transaction Receipts and Event Logs

How to Set Up Your Own Forta/Erigon Node #blockchainForta is a real-time detection network for the security and operational monitoring of blockchain activity. Helping detect threats and anomalies on DeFi, NFT, governance, bridges, and other Web3 systems. This article describes all the necessary steps to run a scanner node with some security recommendations and best practices.

Playing with Yul #blockchainArticle from David on how to write entirely a contract in assembly and learn Yul throughout the process.

Statistical Attacks on Proof of Solvency #blockchainIn the wake of FTX's collapse, many prominent crypto exchanges have announced plans around "proof of solvency.". This article explores a less-discussed problem: the proof of solvency mechanism risks being undermined by a malicious exchange in statistical ways. Critically, if exchanges can predict future attestations or sow doubt on failed attestations, they can successfully misappropriate consumer funds. The strong probability guarantees behind proof of solvency in theory are remarkably brittle in practice.

Fast and Accurate Syntax Searching for C and C++ #compilerThe naive approach to searching for patterns in source code is to use regular expressions; a better way is to parse the code with a custom parser, but both approaches have limitations. Mate Kukri has prototyped an internal tool called Syntex that does search on Clang ASTs to avoid these limitations. In this article, Mate discusses Syntex’s unique approach to syntactic pattern matching.

Reverse Engineering Tiktok's VM Obfuscation Pt.1 #reverse-engineeringTikTok has a reputation for its aggressive data collection. While some of the data they collect may seem benign, it can be used to build a detailed profile of each user. The platform has implemented various methods to make it difficult for reverse-engineers to understand exactly what data is being collected and how it is being used. This research explores some of the obfuscation used by TikTok's VM and what telemetry is provided when doing a simple search.

Speedrunning Web3 Bug Hunts #smart-contractTips to develop an efficient strategy on bug bounty issues in smart contracts so you can cover as much as possible in a code base in the smallest amount of time.

Can ChatGPT Detect Vulnerabilities in Smart Contracts? #smart-contractInteresting approach by Beosin where they looked into what the trending ChatGPT really is and whether it can detect smart contract vulnerabilities.

Rediscovkering Smart Contract Honeypots Targeting Solidity Devs #smart-contractSmart contract honeypots are contracts that seemingly have a vulnerability; however, this vulnerability is an intentionally-place bait used to entice attackers into getting trapped by the contracts. This article from Mal Plankton dives deep into some known honeypots explaining how they trap their victims.

Investigation of North Korean APT's Large-Scale Phishing Attack on NFT Users #aptOn September 2, the SlowMist security team discovered that suspected APT groups were conducting large-scale phishing activities targeting NFT users. This article explores an APT campaign spanning over 190 domains targeting dozens of ETH and SOL projects.

How Was MEW (MyEtherWallet) DNS Spoofed? #blockchainOn April 24, 2018, the DNS registration servers of MEW (MyEtherWallet) were compromised by third-party actors, in which hackers got away with over $152,000 worth of Ether.

Hack Analysis: Omni Protocol #blockchainOmni, an NFT money market platform, was the victim of a $1.4M hack on July 10, 2022, which exploited a reentrancy vulnerability on its Ethereum smart contracts. In this article, gmhacker.eth analyzes the vulnerable code in the Omni contract, creating a simplified version of the attack and testing it against a local fork.

The 2022 Curl Security Audit #security-auditSeveral hundred hours of dedicated scrutinizing of curl by a team of security experts resulted in two CVEs and a set of less serious remarks.

Analyzing Raydium Hack #smart-contractOn December 16, 2022, Raydium suffered a total loss of approximately $4.395 million due to an exploit affecting multiple liquidity pools likely caused by the loss of private key.

Uniswap Bug Bounty #smart-contractVulnerability found by the Dedaub team affecting the new UniversalRouter functionality.

🎥 Videos

• 'Twas the Hack Before Christmas - Darknet Diaries Ep.55 NoirNet — When a private pen tester crosses paths with an eccentric colleague just before the holidays, he won't rest until he gains access to the network.

• LiveOverflow: What is a Protocol? — The term "protocol" can be confusing. In this video LiveOverflow tries to explain to his former self what it means to have a protocol.

• Story of an RCE on Apple Through Hot Jar Swapping 

• RTFR (Read The Bleeping RFC)

• Trail of Bits Fuzzing Workshop — Training by Trail of Bits that will walk you through Echidna, their Ethereum smart contract fuzzer.

• 0xDjango - Code4rena and Immunefi Bounty Hunting — 0xDjango went full time on web3 security as an independent researcher this year, and has found success on both Code4rena and Immunefi earning over 400k combined in bounty awards.

⌨️ Repositories

• jub0bs/fcors — Fearless CORS, a principled CORS middleware for Go.

• 0xPARC/zk-bug-tracker — A community-maintained collection of bugs, vulnerabilities, and exploits in apps using ZK crypto.

• fransr/hot-jar-swapping-urlclassloader — Demo of the URLClassLoader JAR-swapping showing the ability to replace and exploit an already loaded JAR with inner classes.

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.

Thanks,Sebas@0xroot | @secpillsnews