Security Pills - Issue 32

Scaling Continuous Security, Setting Bear Traps in the Dark Forest, Exploiting Hardcoded Keys to Achieve RCE

Security Pills
January 30, 2023

Release Date: 30th January 2023 | Issue: 32 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

Sponsor
Would you like to become a sponsor for our newsletter?
Our mission is to highlight security-related news with a focus on appsec, mobile and smart-contracts while we help people staying up to date with this corner of the industry.
If you are interested, reach out to [email protected] with your ad idea to get started!

Hey there,
I hope you are doing great and had a fantastic weekend!

You may have noticed that the news about blockchain hacks this week was relatively low, with only a few incidents of minor price oracle and reward manipulation bugs resulting in stolen funds under $100,000. However, our coverage this week includes an analysis of the Thoreum exploit (~$700,000 💸), and an in-depth examination of the 0xbaDc0dE MEV bot (~$1.5 millions 🔥💰).

As our newsletter continues to grow, we remain comitted to providing valuable and informative content to our audience. With a focus on application security and blockchain, our aim is to bring you research-backed articles that are both engaging and informative

I'm incredible excited to share the articles in this issue with you. To get the full experience, I recommend taking the time to read through each piece. So sit back, grab a cup of coffee ☕, and dive into this week's content!

Thank you for your continued support! 🙏

Articles: Scaling Continuous Security at Revolut, Testing SAML Security with DAST, Threat and Vulnerability Hunting with Application Server Error Logs, Tampering User Attributes in AWS Cognito User Pools, Solana Formal Verification: A Case Study, MEV: How Flashboys Became Flashbots, Setting Bear Traps in the Dark Forest, Securing Web3 Through Proactive Threat Prevention.
Vulnerabilities & Bug Bounties: Ransacking Your Password Reset Tokens, Exploiting Hardcoded Keys to Achieve RCE in Yellowfin BI, OpenEMR: RCE in Your Healthcare System, Bitwarden Design Flaw: Server Side Iterations, Bridge Bugs Overview, 0xbaDc0dE MEV Bot Hack Analysis, Decoding Thoreum Finance Exploit, Pwning the all Google Phone with a non-Google Bug.
Resources:
- Repositories: pdtm, Heimdall-rs, gato, graphicator, caido
- Podcasts: Critical Thinking: A Bug Bounty Episode Ep.3, Malicious Life Ep. 204: SIM Swaps
- Writeups: DamnVulnerableDeFi ABI Smuggling Challenge, Solving ParadigmCTF's JOP
Tags used in this issue: #appsec, #blockchain, #cloudsec, #mobile

Scaling Continuous Security at Revolut #appsec
Krzysztof Pranczk writes his reflections about the challenges that the application security team at Revolut deal with. One of these challenges is to provide the highest level of security assurance for their products in a fast CI/CD environment, reason that made them build Security Drone to scan code independently of CI/CD pipelines.

Architecture of Security Drone

Testing SAML Security with DAST #appsec
Testing the security of your SAML-based single sign-on infrastructure is a vital but also difficult and tedious task. This technical post presents the basics of SAML security and shows how automated security checks can be used to scan for some of the most common SAML security issues.

Threat and Vulnerability Hunting with Application Server Error Logs #appsec
Approach used by Wix to monitor specific application runtime exceptions and use it to find exploitable vulnerabilities in production that could compromise customer's sensitive data. After using and maturing the process for more than a year, they have experienced a detection rate of 100% for vulnerability types such as XXE and SSTI, and 26% for SQL Injection attacks.

Tampering User Attributes in AWS Cognito User Pools #cloudsec
Second article from the CloudSec Tidbits blogpost series, showcasing bugs found by Doyensec during cloud security testing activities. This time, Francesco Lacerenza and Mohamed Ouad describes AWS Cognito User Pools and how App Integrations (Clients) have default read/write permissions on User Attributes, thus allowing authenticated users to edit their own attributes.

Solana Formal Verification: A Case Study #blockchain
OtterSec was recently contacted by the Squads team to explore how formal verification could be used to verify security-critical properties of Solana programs. As result, OtterSec built a working prototype to formally verify critical properties of Solana programs and ensure a higher level of security. This article shares OtterSec progress and the challenges they have encountered during the process.

MEV (Maximal Extractable Value): How Flashboys Became Flashbots #blockchain
Christine Kim presents in this report a detailed overview of MEV, how it is created and why it remains a significant issue on Ethereum with grave consequences for network stability if left unmitigated and what potential solutions have been presented by Flashbots.

Setting Bear Traps in the Dark Forest #blockchain
As Paradigm stated in its famous 'Ethereum is a dark forest' article, transactions to insecure contracts on the Ethereum blockchain can be front run by attentive parties via bots to steal funds. This article by Paul Brower details his attempt to subvert and co-opt these bots in attempt to get them send him money since these bots have no analytical thinking and are autonomous with no human interaction in the process.

Securing Web3 Through Proactive Threat Prevention #blockchain
BlockSec built IronDome in early 2022, a system that listen to the pending pool of Ethereum, detecting an attack transaction and blocking it automatically by synthesizing a rescue transaction. This approach helped them identify and prevent the Saddle Finance attack back in April 2022 rescuing $3.8 millions.

Ransacking Your Password Reset Tokens #appsec
The popular Ransack Ruby library is commonly used to implement public facing search functionalities on a website, thanks to its powerful feature set around object-based database searching in Rails applications.

However, using a powerful and complex tool for simple use cases, can lead to problems and that's precisely what was found by Lukas Euler, who discovered that the default configuration used in the Ransack library posed a major security risk which could be exploited to extract sensitive information or fully compromise the application.

Exploiting Hardcoded Keys to Achieve RCE in Yellowfin BI #appsec
Assetnote strikes back again in this article where they describe how they leveraged a number of hardcoded keys inside a Java monolith application to achieve command execution, while walking you though the entire exploit chain which goes from pre-authentication to post-authentication, and leading finally to command execution.

OpenEMR - RCE in Your Healthcare System #appsec
Sonar's Dennis Brinkrolf on several code vulnerabilities identified in OpenEMR (most popular open-source software for electronic health records and medical practice management). A combination of these vulnerabilities could allow attackers to execute arbitrary system commands on any OpenEMR server and steal sensitive patient data.

Bypassing OGNL Sandboxes for Fun and Charities #appsec
GitHub's Alvaro Munoz describes in this article how he was able to bypass certain OGNL injection protection mechanisms used by products such as Struts and Atlassian Confluence, while sharing the different approaches taken when analyzing these kinds of protections.

Bitwarden Design Flaw: Server Side Iterations #appsec
An analysis on how Bitwarden protects user's data and how server-side iterations could have been designed.

In the aftermath of the LastPass breach it became increasingly clear that LastPass didn’t protect their users as well as they should have. When people started looking for alternatives, two favorites emerged: 1Password and Bitwarden. But do these do a better.
Bitwarden increased the default client-side iterations to 350,000 a few days ago. So far this change only applies to new accounts, and it is unclear whether they plan to upgrade existing accounts automatically. And today OWASP changed their recommendation to 600,000 iterations, it has been adjusted to current hardware.

Bridge Bugs Overview #blockchain
MixBytes' Konstantin Nekrasov provides an overview of blockchain bridge hacks and discuss ways to prevent and mitigate these attacks.

0xbaDc0dE MEV Bot Hack Analysis #blockchain
Back in September, a smart contract MEV bot was hacked on the Ethereum blockchain, losing approximately $1.45 millions. The interesting part is that the hack too place few minutes after the bot pulled off a notoriously profitable arbitration for a profit of around $1 million, something you would call a particularly special hack.

Immunefi's gmhacker.eth has written an interesting analysis of this MEV Bot which did not have its contract verified and published on Etherscan. If you are interested on learning how an on-chain investigation is conducted by looking into past transactions and reading the contract's compiled bytecode, then this is your article.

Decoding Thoreum Finance Exploit #blockchain
Thoreum is a liquidity mining protocol that offers static rewards to its token holders. A vulnerability in the transfer function was exploited a week ago, causing $680,000 to get withdraw from the protocol and then transferred to Tornado Cash.

Pwning the all Google Phone with a non-Google Bug #mobile
In 2021, the first 'all Google' phone, the Pixel 6 series, made entirely by Google, was launched. However, one small GPU chip (ARM Mali GPU) was discovered vulnerable to an arbitrary kernel code execution and root privileges escalation from an Android app. This is the story of CVE-2022-38181 discovered by Man Yue Mo, and reclassified by Google as a 'Won't fix'.

🙏 Support us

Enjoy reading the Security Pills newsletter? Consider sponsoring our next edition or buying me a coffee.
You can also share us with your friends and follow us on Twitter.

⌨️ Repositories

pdtm — A simple and easy-to-use golang based tool for managing open source projects from. ProjectDiscovery.
Heimdall-rs — An advanced Ethereum smart contract toolkit for forensic and heuristic analysis.
gato — Gato, or GitHub Attack Toolkit, is an enumeration and attack tool that allows both blue teamers and offensive security practitioners to evaluate the blast radius of a compromised personal access token within a GitHub organization.
graphicator — A GraphQL enumeration and extraction tool that iterates over the introspection document returned by the GraphQL endpoint, and then re-structures the schema in an internal form so it can re-create the supported queries.
caido — A lightweight web security auditing toolkit.

🎙️ Podcasts

Critical Thinking: A Bug Bounty Podcast - Ep.3 — In this episode Justin Gardner and Joel Margolis talk about some of the interesting things they’ve learned from participating in HackerOne's H1-407 Live Hacking event, among other things.
Malicious Life Ep. 204 - You Should Be Afraid of SIM Swaps — If SIM swap stories ever make the news, almost uniformly, they focus on people who lost a lot of money. But SIM swaps also take a psychological toll. Getting cut off from the grid all of a sudden, not knowing why, not being able to call for help. Even when it’s over, you never know if your attackers -- whoever they are -- will come back again.

📖 Write-ups

DamnVulnerableDeFi ABI Smuggling Challenge — Walkthrough prepared by Matias (@mattaereal) that solves one of the latest challenges (ABI Smuggling) introduced in the DamnVulnerableDefi CTF (recently released its version 3.0). The infographics that accompanies the article are super helpful and detailed.

Solving ParadigmCTF's JOP — JOP is a unique challenge published in the ParadigmCTF challenge that was not solved during the initial event. The solution provided by plotchy is an interesting approach that uses Foundry and its cheatcodes.

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.

Thanks,
Sebas
@0xroot | @secpillsnews