Security Pills - Issue 33

Release Date: 6th February 2023 | Issue: 33 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

Hi there 👋,Hope you had a great weekend!It's another week in the ever-evolving world of cybersecurity and boy, has it been a wild ride! This week saw two major hacks targeting two well-known protocols - Bonq ($120,000,000) and Orion ($3,000,000) - with the attackers making off with nearly $5 millions in funds 💰🌚.On top of that, a misconfiguration in a Jenkins server led to the exposure of the US government's notorious 'No Fly List'🛬. Semgrep has now added a new 'extract' mode that lets you scan Python 🐍 code in Jupyter Notebooks with ease. And last but not least, have you ever wondered how to build scalable security alert management systems that are powered by automation?. All of this and more can be found in today's newsletter, so let's dive in!

How to Categorize and Prevent Risks of Sensitive Links in URLScan #appsecResearch done by the Tinder Security Labs on searching sensitive links indexed by URLScan which could be used to gain access to corporate systems, or critical third-party services.

It is surprising to note that one of the main causes of these sensitive links being disclosed was due to misconfigurations of URLScan in API calls made through email security products.

Elevating Security Alert Management Using Automation #appsec #automationJosh Liburdi writes about the approach taken by the Brex Detection and Response Team to manage and automate security alerts at scale.. 

Detecting Malicious Packages and How They Obfuscate Their Malicious Code #appsecJFrog's Jonathan Sar Shalom's latest post in the Malicious Packages series discusses how to avoid and detect malicious packages, and the obfuscation techniques used to hide malicious code

Exploring Cosmos: A Security Primer #blockchainZellic explores Cosmos, a framework for easily creating application-specific chains that can communicate with other chains via the inter-blockchain communication (IBC) protocol.

Using MetaSleuth to Analyze a Phishing Attack #blockchainMetaSleuth, a cryptocurrency funds visualization and analysis tool built by BlockSecTeam, deep-dives into a simple approval phishing attack. The article explains how MetaSleuth can create a visual representation of all incoming and outgoing transactions to better understand the attack.

Using Semgrep with Jupyter Notebook Files #sastJose Selvi from NCC Group describes a problem he faced when scanning Python code in Jupyter Notebooks and the workaround suggested by using Semgrep's experimental 'extract' feature. This feature allows you to create a rule to extract specific content from a file format and process it as code for a different language.

Learning CodeQL #sastJoe Rozner writes on how to learn and use CodeQL to discover vulnerabilities across a codebase. The article provides different sources for learning, whether you prefer a hands-on approach or more traditional methods. It also covers the syntax and semantics of the language and how to solve problems using QL.

How to Completely Own an Airline in 3 Easy Steps #appsecMaia Arson, a Swiss hacker, found a Jenkins misconfiguration on a server run by U.S. national airline CommuteAir. The information on this server granted access to the identities of hundreds of thousands of individuals from the U.S. government's Terrorist Screening Database and 'No Fly List.'

PHP Development Server Remote Source Disclosure #appsecHarsh Jaiswal of ProjectDiscovery's writes about a security bug in PHP that could reveal the source code of PHP files as if they were static files instead of executing them properly. The issue was fixed in PHP 7.4.22, but instances still using vulnerable versions can be found using Shodan. The simplicity of this vulnerability is stunning, and makes one wonder how many attacks have gone unnoticed in the past. A must-read article.

RCE in Avaya Aura Device Services. #appsecDylan Pindur of Assetnote as discovered a reflected pre-authenticated XSS and a remote code execution vulnerability in the Avaya Aura Device Services component of the Avaya Aura platform, a software used to manage IP phones.

postMessage DOM XSS Vulnerability in Gartner Peer Insights Widget #appsecA journey into the Gartner Peer Insights Widget and the vulnerability in it that made many websites susceptible to DOM XSS through Window.postMessage().

Balancer's Bountiful Merkle Orchard #blockchainRiptide reflects on what makes a bug bounty program good or bad before delving into a logic error in the Merkle Orchard contract for the Balancer protocol, which earned him a 50 ETH bounty.

Breaking the Tree: Violating Invariants in Semaphore #blockchainVeridise explores contract invariants and their importance in checking code for bugs, particularly for ensuring the reliability and stability of smart contracts.

Taking a Closer Look at Orion Protocol Hack #blockchainOrion Protocol suffered a reentrancy attack, leading to a loss of approximately $3,000,000 in ETH and BSC.

Bonq Protocol Got Bonked for $120M #blockchainThe Bonq protocol was targeted in a price manipulation attack, where the attacker was able to manually update the Tellor price feed of WALBT collateral by staking only ~$175 in TRB tokens. Although losses were reported to be up to $120 million, the attacker only managed to exchange the stolen funds for around $1.7 million in ETH and DAI due to low liquidity

ZeroValidation: Admin Forgery in LayerZero #blockchainJames Prestwich describes two critical vulnerabilities found in LayerZero contracts, which could be used to exploit user applications by passing arbitrary messages to the application without Relater or Oracle sign-off. These issues have been found actively exploited in the wild.

Breaking Docker Named Pipes SYSTEMatically #containersEviatar Gerzi from CyberArk noticed that some of the Docker processes used by Docker Desktop for Windows were privileged.  Some of these processes used named pipes for communication, and one of them was used to forward low-privileged user's API calls to a privileged service.

🎥 Videos

• Till REcollapse: Fuzzing the Web for Mysterious Bugs — André Baptista examines user input validation problems, regex quirks, and how to fuzz regular expressions using a black-box approach to uncover simple, mysterious bugs, using real-world examples along the way.

• Common Zero-Knowledge Proof Vulnerabilities — Dylan Davis continues his learning journey on zero-knowledge proofs, focusing this time on common vulnerabilities in ZK programs

⌨️ Repositories / Tools

• curio — A data-first security scanner that finds risks and vulnerabilities in your code so you can protect sensitive data.

• PipeViewer — A tool that shows detailed information about named pipes in Windows.

• codeslaw — Search for verified smart contracts

• solodit — Search for Code4rena and Sherlock vulnerabilities

🎙️ Podcasts

1. Critical Thinking: A Bug Bounty Podcast Ep.4 — In this episode they continue their series on the H1-407 HackerOne Live Hacking Event with SpaceRaccoon as special guest talking about techniques and takeaways from the event.

📖 Writeups

• Understanding the Heap — jackfromeast writes about the dynamic memory allocator, also known as 'heap', using the ptmalloc function to illustrate this beautiful mess. A really deep-dive into the virtual memory space of a process and a great writeup to refresh our knowledge or learn few things on how memory pools work at a low level.

• The Bug that CodeArena Missed, Twice — A vulnerability affecting Thena, an AMM exchange, where veNFT holders had their rewards frozen when trying to claim it after expiry.

• Common ZK Vulnerabilities — Shared notes from Dylan Davis containing ZK vulnerabilities explained.

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.

Thanks,Sebas@0xroot | @secpillsnews