Security Pills - Issue 33
Learning CodeQL, Bonq Protocol Got Bonked for $120M, Breaking Docker Named Pipes SYSTEMatically
Release Date: 6th February 2023 | Issue: 33 | Subscribe
The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.
The compliance automation tool that's making audits fun.
Did you know that on average, GRC and IT teams are spending 4,300 hours on compliance tasks per year? Slash the time and resources you're spending achieving and maintaining compliance with G2's highest-rated cloud compliance platform.
Automated evidence collection, 24/7 control monitoring, and an auditor-built collaboration hub are just a few reasons why companies like Lemonade, Notion, and Postman trust Drata as their compliance partner.
Drata's robust risk management solution, pre-mapped controls, and automated compliance for 14+ frameworks will help you centralize your compliance program and reduce endless back and forth with your auditor and team. Book a demo to start streamlining your audits—and even make them fun… according to customer reviews.
Hi there 👋,
Hope you had a great weekend!
It's another week in the ever-evolving world of cybersecurity and boy, has it been a wild ride! This week saw two major hacks targeting two well-known protocols - Bonq ($120,000,000) and Orion ($3,000,000) - with the attackers making off with nearly $5 millions in funds 💰🌚.
On top of that, a misconfiguration in a Jenkins server led to the exposure of the US government's notorious 'No Fly List'🛬. Semgrep has now added a new 'extract' mode that lets you scan Python 🐍 code in Jupyter Notebooks with ease. And last but not least, have you ever wondered how to build scalable security alert management systems that are powered by automation?.
All of this and more can be found in today's newsletter, so let's dive in!
- Articles: How to Categorize and Prevent Risks of Sensitive Links in URLScan, Elevating Security Alert Management Using Automation, Detecting Malicious Packages and How They Obfuscate Their Malicious Code, Exploring Cosmos: A Security Primer, Using MetaSleuth to Analyze a Phishing Attack, Using Semgrep with Jupyter Notebook Files, Learning CodeQL.
- Vulnerabilities & Bug Bounties: How to Completely Own an Airline in 3 Easy Steps, PHP Development Server Remote Source Disclosure, RCE in Avaya Aura Device Services, postMessage DOM XSS Vulnerability in Gartner Peer Insights Widget, Balancer's Bountiful Merkle Orchard, Breaking the Tree: Violating Invariants in Semaphore, Taking a Closer Look at Orion Protocol Hack, Bonq Protocol Got Bonked for $120M, ZeroValidation: Admin Forgery in LayerZero, Breaking Docker Named Pipes SYSTEMatically.
- Videos: TIll REcollapse: Fuzzing the Web for Mysterious Bugs, Common-Zero-Knowledge Proof Vulnerabilities.
- Repositories: curio, PipeViewer, codeslaw, solodit
- Podcasts: Critical Thinking Episode 4
- Writeups: Understanding the Heap, The Bug that CodeArena Missed Twice, Common ZK Vulnerabilities.
- Tags used in this issue: #appsec, #automation, #blockchain, #containers, #sast
How to Categorize and Prevent Risks of Sensitive Links in URLScan #appsec
Research done by the Tinder Security Labs on searching sensitive links indexed by URLScan which could be used to gain access to corporate systems, or critical third-party services.
It is surprising to note that one of the main causes of these sensitive links being disclosed was due to misconfigurations of URLScan in API calls made through email security products.
Elevating Security Alert Management Using Automation #appsec #automation
Josh Liburdi writes about the approach taken by the Brex Detection and Response Team to manage and automate security alerts at scale..
Detecting Malicious Packages and How They Obfuscate Their Malicious Code #appsec
JFrog's Jonathan Sar Shalom's latest post in the Malicious Packages series discusses how to avoid and detect malicious packages, and the obfuscation techniques used to hide malicious code
Using homoglyph characters to hide malicious code. For example, an attacker might change a string literal check or a function call to make it always succeed or fail invisibly by changing one of the string’s characters to a homoglyph.
Exploring Cosmos: A Security Primer #blockchain
Zellic explores Cosmos, a framework for easily creating application-specific chains that can communicate with other chains via the inter-blockchain communication (IBC) protocol.
Using MetaSleuth to Analyze a Phishing Attack #blockchain
MetaSleuth, a cryptocurrency funds visualization and analysis tool built by BlockSecTeam, deep-dives into a simple approval phishing attack. The article explains how MetaSleuth can create a visual representation of all incoming and outgoing transactions to better understand the attack.
Using Semgrep with Jupyter Notebook Files #sast
Jose Selvi from NCC Group describes a problem he faced when scanning Python code in Jupyter Notebooks and the workaround suggested by using Semgrep's experimental 'extract' feature. This feature allows you to create a rule to extract specific content from a file format and process it as code for a different language.
Learning CodeQL #sast
Joe Rozner writes on how to learn and use CodeQL to discover vulnerabilities across a codebase. The article provides different sources for learning, whether you prefer a hands-on approach or more traditional methods. It also covers the syntax and semantics of the language and how to solve problems using QL.
How to Completely Own an Airline in 3 Easy Steps #appsec
Maia Arson, a Swiss hacker, found a Jenkins misconfiguration on a server run by U.S. national airline CommuteAir. The information on this server granted access to the identities of hundreds of thousands of individuals from the U.S. government's Terrorist Screening Database and 'No Fly List.'
PHP Development Server Remote Source Disclosure #appsec
Harsh Jaiswal of ProjectDiscovery's writes about a security bug in PHP that could reveal the source code of PHP files as if they were static files instead of executing them properly. The issue was fixed in PHP 7.4.22, but instances still using vulnerable versions can be found using Shodan.
The simplicity of this vulnerability is stunning, and makes one wonder how many attacks have gone unnoticed in the past. A must-read article.
RCE in Avaya Aura Device Services. #appsec
Dylan Pindur of Assetnote as discovered a reflected pre-authenticated XSS and a remote code execution vulnerability in the Avaya Aura Device Services component of the Avaya Aura platform, a software used to manage IP phones.
postMessage DOM XSS Vulnerability in Gartner Peer Insights Widget #appsec
A journey into the Gartner Peer Insights Widget and the vulnerability in it that made many websites susceptible to DOM XSS through Window.postMessage().
Balancer's Bountiful Merkle Orchard #blockchain
Riptide reflects on what makes a bug bounty program good or bad before delving into a logic error in the Merkle Orchard contract for the Balancer protocol, which earned him a 50 ETH bounty.
Breaking the Tree: Violating Invariants in Semaphore #blockchain
Veridise explores contract invariants and their importance in checking code for bugs, particularly for ensuring the reliability and stability of smart contracts.
Taking a Closer Look at Orion Protocol Hack #blockchain
Orion Protocol suffered a reentrancy attack, leading to a loss of approximately $3,000,000 in ETH and BSC.
Bonq Protocol Got Bonked for $120M #blockchain
The Bonq protocol was targeted in a price manipulation attack, where the attacker was able to manually update the Tellor price feed of WALBT collateral by staking only ~$175 in TRB tokens. Although losses were reported to be up to $120 million, the attacker only managed to exchange the stolen funds for around $1.7 million in ETH and DAI due to low liquidity
ZeroValidation: Admin Forgery in LayerZero #blockchain
James Prestwich describes two critical vulnerabilities found in LayerZero contracts, which could be used to exploit user applications by passing arbitrary messages to the application without Relater or Oracle sign-off. These issues have been found actively exploited in the wild.
Breaking Docker Named Pipes SYSTEMatically #containers
Eviatar Gerzi from CyberArk noticed that some of the Docker processes used by Docker Desktop for Windows were privileged. Some of these processes used named pipes for communication, and one of them was used to forward low-privileged user's API calls to a privileged service.
🙏 Support us
Enjoy reading the Security Pills newsletter? Consider sponsoring our next edition.
You can also share us with your friends and follow us on Twitter.
- Till REcollapse: Fuzzing the Web for Mysterious Bugs — André Baptista examines user input validation problems, regex quirks, and how to fuzz regular expressions using a black-box approach to uncover simple, mysterious bugs, using real-world examples along the way.
- Common Zero-Knowledge Proof Vulnerabilities — Dylan Davis continues his learning journey on zero-knowledge proofs, focusing this time on common vulnerabilities in ZK programs
⌨️ Repositories / Tools
- curio — A data-first security scanner that finds risks and vulnerabilities in your code so you can protect sensitive data.
- PipeViewer — A tool that shows detailed information about named pipes in Windows.
- codeslaw — Search for verified smart contracts
- solodit — Search for Code4rena and Sherlock vulnerabilities
- Critical Thinking: A Bug Bounty Podcast Ep.4 — In this episode they continue their series on the H1-407 HackerOne Live Hacking Event with SpaceRaccoon as special guest talking about techniques and takeaways from the event.
- Understanding the Heap — jackfromeast writes about the dynamic memory allocator, also known as 'heap', using the ptmalloc function to illustrate this beautiful mess. A really deep-dive into the virtual memory space of a process and a great writeup to refresh our knowledge or learn few things on how memory pools work at a low level.
- The Bug that CodeArena Missed, Twice — A vulnerability affecting Thena, an AMM exchange, where veNFT holders had their rewards frozen when trying to claim it after expiry.
- Common ZK Vulnerabilities — Shared notes from Dylan Davis containing ZK vulnerabilities explained.
📧 Wrapping up
If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.
@0xroot | @secpillsnews
How did you like this issue of Security Pills?
1 = Didn't enjoy it all // 5 = Really enjoyed it