Security Pills - Issue 30

Release Date: 16th January 2023 | Issue: 30 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

Hey everyone, I hope you had a great week. 👋There is lots of great content for this week. We continue to deliver on recent hacks affecting the blockchain space, such as the CirculateBUSD project which was recently rug pulled, causing a loss of $2.27 million to its users, or the BRA token which was exploited due to a logic flaw, resulting in the hacker stealing nearly $225,000. However, we also like to bring you the latest research and issues discovered by some well-renowned researchers in the appsec space, such as a bypass on the macOS signature verification mechanism, or several security issues affecting the wolfSSL library. In any case, enjoy today's newsletter

GraphQL Exploitation - All You Need to Know #appsecTheodoros Danos shares the knowledge gathered over the past few years while testing and developing GraphQL applications.

Testing the Performance of User Authentication Flow #appsecKursat Aktas on how to simulate and test the performance of user authentication flow at a given concurrency to avoid denial of service of a backend service.

ImageMagick Security Policy Evaluator #appsecDoyensec has decided to study the effects of all the options accepted by ImageMagick's security policy parser and write a tool to assist both the developers and the security teams in designing and auditing these files.

Optimizing Wordlists with Masks #appsecArticle that introduces a methodology for creating new password-cracking wordlists and benchmark them against other popular ones.

How to Use CloudQuery for Attack Surface Management and Graph Visualization #asmHow to set up CloudQuery for customizable Attack Surface Management (ASM) and how to use graph visualization to execute security queries. Graph visualization can be used effectively to understand relationships between assets, attack paths, and attack surface to aid with ASM and improving the security posture of an organization.

Crypto Losses in 2022 #blockchainThe team at Immunefi has assessed the volume of crypto funds lost by the community due to hacks and scams in 2022.

How to Analyze Bitcoin Data with SQL #blockchain , #data-analyticsLearn how Bitcoin works, and how to analyze block statistics, transaction values, active addresses, and address balances using Dune.

Circumventing Layer Zero: Why Isolated Security is No Security #blockchainDebate on shared security models of cross-chain applications.

Uniswap: Risks and Risk Management #blockchainUniswap is an extremely popular DeFi platform for trading tokens as well as providing liquidity. Uniswap is the first DEX to implement AMM mechanics and has been the most dominant ever since.While the platform itself has never been proven unsafe, there are several risks to consider, including financial, compliance-related, or exposure to potential scams that are listed on the platform. In this blog post, the authors delve into some of the risks to be aware of when using the platform, as well as some risk mitigation measures that Uniswap has implemented.

Factories: Getting a List of All Contracts Created by an Address #blockchainIn this article, Thomas Jay Rush will show you how to use TrueBlocks and chifra to get a list of every smart contract created by an address.

Generating Secure Randomness on Ethereum using SNARKs #blockchainParadigm proposes in this post designs and reference implementations that utilize SNARKs and VDFs to achieve fully secure randomness on Ethereum.

Fake Token Trendy: The Next Millionaire is You #blockchainHundreds of ERC20 tokens are created daily, but more than 15% are fake tokens. On-chain analysis estimate that the daily profit from these fake tokens can reach 22.4 ETH. This article digs into the fake token industry, revealing the process of how the black groups are making a profit, and analyzing the 2022 fake token trend.

Vulnerable Spots of Lending Protocols #blockchainIn this article Daniil Ogurtsov goes through the core security vulnerabilities common to the lending protocol. Lending protocols have compiled a long list of hacks which can be categorized. Understanding these vulnerabilities is a perfect tool for an auditor - the lending protocol has the same vulnerable spots and typical attack vectors. It is important to keep these vectors in mind when auditing as a tool applied to lending protocols. It is applicable both for forked lending protocols and protocols with unique logic.

A Low-Level Guide to Solidity's Storage Management #evmLearn how the EVMs storage system works by interacting with it through smart contracts using solidity's inline assembly/yul, taking you a step closer to bridging the gap between high and low level programming. Learning how to use bitwise operations alongside SLOAD and SSTORE to control the EVMs storage at will.

Solidity: All About Stack #solidityJean Cvllr writes an article exploring the EVM stack, its layout and what opcodes are used to interact with it at a low level.

Keeping the Wolves Out of WolfSSL #appsecTrail of Bits found four vulnerabilities affecting wolfSSL which could cause a denial of service (DoS). The issues were discovered automatically using the protocol fuzzer tlspuffing. This blog post explores these vulnerabilities, and provides an in-depth overview of the fuzzer.

Practical Example of Client-Side Path Manipulation #appsecAntoine Roly on a Client-Side Path Manipulation found during a private bug bounty program.

Bad Things Come in Large Packages: .pkg Signature Verification Bypass on macOS #appsecCode signing of applications is an essential element of macOS security. Besides signing applications, it is also possible to sign installer packages (.pkg files). During a short review of the xar source code, Sector7 found a vulnerability (CVE-2022-42841) that could be used to modify a signed installer package without invalidating its signature. This vulnerability could be abused to bypass Gatekeeper, SIP and under certain conditions elevate privileges to root.

Cacti: Unauthenticated Remote Code Execution #appsecCommand injection vulnerability found on Cacti, an open-source web-based monitoring solution.

OGNL Injection Decoded #appsecAditya discusses the infamous Object Graph Navigation Language (OGNL) injection vulnerability, explaining the vulnerability details, attack vectors, how the vulnerability works in the background and how companies can protect their resources against this type of attack.

Three Lessons from Threema: Analysis of a Secure Messenger #appsecThreema is a Swiss encrypted messaging application, used by the Swiss Government and the Swiss Army. This paper shares seven attacks against the cryptographic protocols used by Threema, in three distinct threat models. All the attacks are accompanied by proof-of-concept implementations that demonstrate their feasibility in practice.

Hack Analysis: Beanstalk Governance Attack #smart-contractBeanstalk, a permissionless fiat stable coin protocol, was the victim of a whopping $181m hack on April 17, 2022, which leveraged the lack of execution delay to push through a malicious governance proposal.

Hack Analysis: Nomad Bridge #smart-contractThe Nomad bridge was hacked on August 1st, 2022, and $190m of locked funds were drained. After one attacker first managed to exploit the vulnerability and struck gold, other dark forest travelers jumped to replay the exploit in what eventually became a colossal, “crowdsourced” hack.

CirculateBUSD Project RugPull: Loss of $2.27 Millions #smart-contractOn January 12, 2023, according to NUMEN on-chain monitoring, CirculateBUSD project has been drained by the contract creator, causing a loss of 2.27 million dollars.

How Was BRA Token Exploited #smart-contractOn January 10, 2023, the BRA token was exploited, in which the hacker was able to steal funds worth 819 $WBNB, roughly amounting to $225,000.

Wormhole - A Deep Dive #smart-contractThis article explores the design, security, and trust assumptions of Wormhole IM, an arbitrary messaging bridge (AMB) enabling users and developers to transfer both simple messages and complex data across chains.

Taking A Closer Look at Roe Finance Exploit #smart-contractOn January 11, 2023, Roe Finance was exploited using a price manipulation attack, causing a loss of $80,000.

🎥 Videos

• An Adversaries Approach to Smart Contracts

• $1 M bounty in Aurora Blockchain for No Input Sanitization Bug — This video is an explanation of a bug in Aurora blockchain that allowed anyone to basically take anyone's cryptocurrency without them being able to prevent that.

• Sense Finance Access Control Bugfix Review — On April 22, whitehat Violet Vienhage submitted a critical vulnerability in Sense Finance via Immunefi that consisted of an access control issue. For their work, Violet received a $50,000 bounty.

• Formal Verification on the Solidity Stack — Leo Alt gives a demo-driven walkthrough using formal verification tooling on the Solidity stack.

⌨️ Repositories

• tlspuffin — A symbolic-model-guided fuzzer for TLS.

• sigstore-python — A python tool for generating and verifying Sigstore signatures.

• spook — Mixing service using the Nym network to anonymize Ethereum RPC calls.

• damn-vulnerable-defi — A new version of Damn Vulnerable DeFi is out. The offensive security playground for the decentralized finances.

🎙️ Podcasts

1. Critical Thinking Episode 01: Introductions, BB Reports and tips — In this episode of Critical Thinking - Bug Bounty Podcast, Joel Margolis (aka 0xteknogeek) and Justin Gardner (aka Rhynorater) cover introductions, a couple of cool bug bounty reports, and some really helpful BB Tips.

📖 Books

• Blockchain Dark Forest Selfguard Handbook

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.

Thanks,Sebas@0xroot | @secpillsnews