Security Pills - Issue 31
An Incomplete Guide to Stealth Addresses, Bypassing Authorization in GC Workstations, Manipulating AES Traffic Using a Chain of Proxies and Hardcoded Keys
Release Date: 23rd January 2023 | Issue: 31 | Subscribe
The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.
SponsorWould you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on appsec, mobile and smart-contracts while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!
Hey there,I hope you have been doing well and had a great week!Please enjoy today's newsletter.
Articles: XML Security in Java, Leaking Secrets from GitHub Actions, Exploiting Application Logic to Phish Internal Mailing Lists, Manipulating AES Traffic Using a Chain of Proxies and Hardcoded Keys, Polygon's Block Reorg Problem, Beyond ZK: The Definitive Guide to Web3 Privacy, Global Web3 Security Report 2022, An Incomplete Guide to Stealth Addresses, The State of Zero-Knowledge Applications in Ethereum Pt. 1, Disassembling EVM Bytecode, LLMs: A Bleak Future Ahead?, The Expanding Dark Forest and Generative AI, Beginner's Guide to Yul, Diving Into Smart Contract Decompilation, Best Practices When Developing with Foundry
Vulnerabilities & Bug Bounties: Deep Analysis of CEX reserves-huobi.com, SSH Key Injection in Google Cloud Compute Engine, Bypassing Authorization in Google Cloud Workstations, Security Audit of Git, Google Chrome SymStealer Vulnerability, Top 10 Bugs Found in C# Projects in 2022, Microsoft Teams RCE, Jarvis Network Flash Loan and Re-Entrancy Attack Analysis, OMNI Real Estate Token Exploit, Thoreum Finance Smart Contract Vulnerability, How Was Upswing Finance Exploited?, Post Mortem of Recent MLP Impact
Videos: Web3 SQL Weekly: How to Calculate ETH Balances for Any Address, Read-Only Reentrancy, An Adversaries Approach to Smart Contracts, MEV Roast - Why Privacy in MEV, Sparbit Community Workshop.
Podcasts: Critical Thinking Ep. 2: Exploit Writing & Automation
Tags used in this issue: #appsec, #blockchain, #cloudsec, #lms, #exploiting, #smart-contract
XML Security in Java #appsecPieter De Cremer and Vasilii Ermilove have thoroughly tested 10 different Java classes from three XML processing interfaces and found inconsistencies with some security features that do not work as documented. A unique thorough piece on Java XML security, with a set of Semgrep rules to detect these misconfigurations.
Leaking Secrets from GitHub Actions #appsecKarim Rahal on how GitHub Actions Runner does actually work and how to steal secrets if you have a command injection in a GitHub Action workflow.
Exploiting Application Logic to Phish Internal Mailing Lists #appsecInteresting approach followed by Tanner to run a phishing campaign and obtain access to some of the highest value assets for the company he was testing for.
Manipulating AES Traffic Using a Chain of Proxies and Hardcoded Keys #appsecAditya on how to intercept and manipulate client-side AES encrypted traffic in mobile applications that have hardcoded key and IV.
Polygon's Block Reorg Problem #blockchainThe Polygon PoS network has a unique block production mechanism where 32-depth reorgs can happen as easily as 1-depth reorgs on other blockchains. It has more double-digit-depths reorgs than its competitors. This article from MPlankton explains why that's happening.
Beyond ZK: The Definitive Guide to Web3 Privacy Pt. 1 | Pt. 2 #blockchainA three-part series on everything privacy in Web3, exploring secure computation and clearing up misconceptions about everything from ZKPs to TEEs.
Global Web3 Security Report 2022 #blockchainAn annual review prepared by Beosin over 167 major attacks affecting different Web3 projects, with a total loss of approximately $3.6 billions, an increase of almost 50% from 2021.
An Incomplete Guide to Stealth Addresses #blockchainVitalik has written this article which describes the mechanics and use cases of a different category of tool that could improve the state of privacy on Ethereum in a number of other contexts: stealth addresses.
The State of Zero-Knowledge Applications in Ethereum Pt. 1 #blockchainSeries of articles that aim to highlight the strengths and opportunities ahead for zero-knowledge (ZK) projects and applications, as well as identify underinvested areas, while covering Privacy and Identity (zkID), Private Finance (zkDeFi) and Private Computing (zkComp)
Disassembling EVM Bytecode #evmBasics on how to disassemble and decompile bytecode for the Ethereum Virtual Machine.
The Expanding Dark Forest and Generative AI #lmsInteresting essay on proving you are a human on a web flooded with generative AI content by Maggie Appleton.
Beginner's Guide to Yul #smart-contractA guide to Yul, an intermediate programming language which can be used to write a form of assembly language inside smart contracts.
Diving Into Smart Contract Decompilation #smart-contractThe Heimdall-rs decompilation module is a powerful tool for understanding the inner workings of Ethereum smart contracts. It allows users to convert raw bytecode into human-readable Solidity code and its corresponding Application Binary Interface (ABI). In this article, Jonathan Becker delves deep into the inner workings of the decompilation module, examining how it performs this conversion at a low level and exploring its various features and capabilities.
Best Practices When Developing with Foundry #smart-contractThis guide documents the suggested best practices when developing with Foundry.
Deep Analysis of CEX reservers-huobi.com #blockchainAn analysis made by X-explore and WuBlockchain on the Huobi.com asset list and what's the current situation after the FTX collapse.
SSH Key Injection in Google Cloud Compute Engine #cloudsecA single-click RCE in a user's Google Compute Engine instance.
Bypassing Authorization in Google Cloud Workstations #cloudsecSivanesh and Sreeram found another vulnerability, affecting this time the Cloud Workstations available in Google Cloud.
Security Audit of Git #exploitationThe OSTIF sponsored a security source code audit of Git, identifying two critical security issues. A heap-based memory corruption during clone or pull operations, which might result in code execution and a code execution during archive operation. The report, and a detailed blog post with all the vulnerabilities identified have been now published in a collaboration between X41, OSTIF and GitLab.
Google Chrome "SymStealer" Vulnerability #exploitationThe Imperva Red Team recently disclosed a vulnerability affecting over 2.5 billion users of Google Chrome and Chromium-based browsers. This vulnerability allowed for the theft of sensitive files, such as crypto wallets and cloud provider credentials.
Top 10 Bugs Found in C# Projects in 2022 #exploitationSummary of findings discovered throughout the 2022 by the PVS Studio team affecting C# projects.
Microsoft Teams RCE #exploitationAt this point you may be very familiar with Pwn2Own, an annual hacking competition where security researchers and teams compete to find and exploit vulnerabilities in popular software and devices. Hackers from all around the globe compete in what is considered one of the most prestigious and well-known hacking competitions in the world. The security researchers @adm1nkyj1 and @jinmo123 participated in the Vancouver edition, where they presented a vulnerability in Microsoft teams. A security issue in the deeplink handler used by teams to load arbitrary URLs in a WebView/Iframe could be abused along with teams RPC's functionality to achieve code execution outside the sandbox.
Jarvis Network Flash Loan and Re-Entrancy Attack Analysis #smart-contractOn January 15, the Jarvis Network project was attacked and 663,101 MATICs were lost as a result. Numen Cyber Labs has published a technical analysis describing how this attack was performed.
OMNI Real Estate Token Exploit #smart-contractA lack of input validation in the StakingPool contract used by the OMNI Real Estate project (ORT Token) on the BNB chain caused an attacker to exploit a security issue, stealing 236 BNB worth ~$71,000.
Thoreum Finance Smart Contact Vulnerability #smart-contractAn improper implementation of the transfer function used by the Thoreum Finance contract, in which if a wallet sent funds to itself, the amount of tokens in the wallet would be increased by as much as the sent amount, resulted in a loss of approximately 2260 BNB, worth $580,000.
How was Upswing Finance Exploited? #smart-contractA flash loan attack caused by a design flaw on the UPStkn token, allowed an attacker to manipulate the token's price in the liquidity pool, thus resulting in the loss of approximately 22.58ETH, worth $35,800. The domain for Upswing Finance has been taken down and no official response has been provided on their social media profiles.
Post Mortem of Recent MLP Impact #smart-contractPost mortem on the attack occurred with the Mycellum Swap platform where a trader caused degradation in the MLP price while making profits.
🙏 Support us
Web3 SQL Weekly: How to Calculate ETH Balances for Any Address — Andrew Hong (Dune Analytics) has started a new series where he breaks down one query a week into byte-sized bits, making both the SQL and blockchain concepts more digestible.
Read-only Reentrancy - A Novel Vulnerability class Responsible for 100m+ Funds at Risk — Reentrancy is one of the first lessons learned when getting started with smart contract development and security. In this lightning talk Ioannis presents a novel form of reentrancy, the "read-only reentrancy" which is mostly unknown, although devastating in today's DeFi world and which has been single-handedly responsible for $100m+ in funds at risk.
Spearbit: Community Workshop - Riley Holterhus — Riley Holterhus is a former Paradigm researcher and current Spearbit security researcher hacking contracts. He found several issues during the Maple security review.
Critical Thinking Ep. 2: Exploit Writing & Automation — In this episode, the hosts talk about exploit writing/automation, some new tools released in the industry (Of-CORS), the age old question of "Do you have to know how to program to hack?", a walk-through of some very impactful bug bounty reports, and some tips and tricks for exploit writing.
📧 Wrapping up
If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.