Security Pills - Issue 37

Release Date: 6th March 2023 | Issue: 37 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

Hi there 👋,Hope you all had a great weekend!I have made some minor changes in the structure of the newsletter that I hope eases the reading of the articles and helps you better find what's of interest to you. Whatever it takes to maintain the quality of the newsletter... even if that means spending 30 minutes deciding which emoji best fits an article, being terrible at writing tweets under 280 characters, or fine-tune GPT-3 to act as a security expert and write this Security Pills for me... The life of a newsletter operator (someone called me that) can be overwhelming and stressful 💅🏼. Just kidding!Anyways, I hope you enjoy today's issue; there are plenty of cool topics by super smart people and incredible security vulnerabilities. As we always say, grab yourself a cup of coffee, find a cozy spot, and let's get into today's newsletter! 🚀

🛠 Appsec

Subdomain Reputation: Detecting Malicious Subdomains of Public Apex Domains Rebekah Houser and Daiping Liu from Unit42 discuss the unique challenges involved in detecting which subdomains of public apex domains are malicious, as traditional approaches may not work or may require adjustments. The article explores Palo Alto's approach to this problem and how it has proven effective in detecting two phishing campaigns.

The security concerns of a JavaScript sandbox with the Node.js VM moduleSnyk's Liran Tal writes about the Node.js VM module. This module is used by developers to compile and run dynamically provided code within V8 Virtual Machine contexts. Liran explores scenarios in which an attacker could provide insecure code, achieving remote code execution and putting the entire application platform at risk.

How to intercept, observe & mock WebRTC trafficHTTPToolkit's Tim Perry writes about the challenges of intercepting WebRTC traffic. WebRTC encrypts all traffic using P2P negotiated certificates for authentication, without PKI. To address this complexity, Perry introduces MockRTC, a framework that provides the necessary foundations for automatically intercepting, inspecting, and mocking WebRTC traffic, making it useful for testing, debugging, and MitM proxying. Furthermore, Perry offers a detailed explanation of WebRTC's low-level functionality and practical use cases for MockRTC.

⛓ Blockchain

Reusable properties for Ethereum contractsTrail of Bits is releasing a set of 168 pre-built properties that can be used to guide Echidna or be directly incorporated into unit tests. The goal of these properties is to detect vulnerabilities or deviations from expected results and provide guidance to developers when writing invariants.

Is There Any Wash Trading in Centralized Exchanges?X-explore discusses the lack of regulation on centralised exchanges (CEXs) and how they often engage in wash trading to inflate their trading volumes and improve their rankings. The author uses various trade volume analysis methods to identify and elaborate on the extent of fake trading volumes.

Solidity and EVM: Bit Shifting and Masking in Assembly (YUL)0xWeiss provides an introduction to bit shifting and how it is used for efficient manipulation of binary data. Using different examples, we will learn how bit shifting can be used to access or write variables that are packed and how bitmasking is used for bitwise operations.

An introduction to zero-knowledge machine learning (ZKLM)The Worldcoin team discusses how AI/ML-generated content is becoming increasingly difficult to differentiate from content created by humans. They propose utilising zero-knowledge cryptography as a means of verifying whether a given output was created by a large language model, such as ChatGPT, a text-to-image model like DALL-E 2, or any other model for which a knowledge circuit representation is available. The article also delves into potential use cases where ZKML could be used, such as fraud detection, computational integrity or ML as a Service (MLaaS), among others.

Smart Contract Obfuscation TechniquesDeGatchi writes about bytecode obfuscation, one of the many challenges he has faced while building a bytecode decoder. Degatchi provides a deep dive on different techniques to protect the logic implemented within your contract, such as packing all function locators into a single PUSH32, scrambling calldata decoders, or using address obfuscation to avoid frontrunners from cloning your contract and to deter reverse engineers from analyzing your contract's bytecode.

Cross-chain re-entrancyMateo Cesaroni explores attack vectors that may arise when multiple contracts with different instances are deployed in a cross-chain protocol. To demonstrate the risks introduced by this new paradigm, Mateo creates a cross-chain contract vulnerable to a re-entrancy attack and provides a detailed walkthrough on how to exploit and mitigate this vulnerability.

Demystifying Exploitable Bugs in Smart ContractsA research study conducted by Zhuo Zhang, Brian Zhang, Wen Xu, and Zhiqiang Lin to investigate 516 unique smart contract vulnerabilities and determine how many of these vulnerabilities go unnoticed by existing analysis tools. The study categorises these bugs into seven types based on their root causes, complexities, and potential mitigations. The paper also provides a bug model designed to facilitate the discovery of these vulnerabilities and enable their potential automation.

🤖 Machine Learning

AI applications open new security vulnerabilitiesTaimur Ijlal discusses the challenges associated with securing AI and machine learning systems in sensitive industries. Because these systems often have access to sensitive training data, they are attractive targets for attackers. As a result, a new type of attack is emerging that specifically targets the workings of machine learning applications. Taimur explores some of the most common attacks, such as inference, evasion, and poisoning, and offers insights into how we can strengthen our machine learning applications to better defend against them.

MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems)Knowledge base of adversary tactics, techniques, and case studies for machine learning (ML) systems based on real-world observations, demonstrations from ML red teams and security groups.

🛠 Appsec

A New Vector For “Dirty” Arbitrary File Write to RCEDoyensec's Maxence Schmitt and Lorenzo Stella explore a new uWSGI-based technique to escalate from arbitrary file write (AFW) vulnerabilities in application uploads to remote code execution (RCE). In this technique, the researchers abuse a lax parsing of configuration files (.ini) by crafting a polymorphic, syntactically valid PDF file containing a valid multi-lined .ini configuration file. Using the exec uWSGI scheme to read from a process's standard output, the researchers were able to weaponize a .ini configuration file and achieve remote command execution.

Gitpod remote code execution 0-day vulnerability via WebSocketsSnyk's Elliot Ward has written about a research project conducted on Gitpod, a cloud-based development environment (CDE). The research uncovered a vulnerability that allowed for a full workspace takeover on the Gitpod platform which could then be extended to the user's source code management (SCM) account. Using a combination of different JSONRPC methods, Elliot was able to create a payload which granted him complete control over a user's workspace when the user visited a particular link

Empowering weak primitives: file truncation to code execution with GitSonarSource Thomas Chauchefoin discovered a clever technique to truncate files in a GitHub repository, which can lead to Remote Code Execution (RCE) via the 'git blame' command. In this article, Thomas will walk us through this technique and demonstrate how it can be successfully exploited using a vulnerable challenge.

Traveling with OAuth - Account Takeover on Booking.comSalt Labs' Aviad Carmel describes how he was able to take over any account on Booking.com that was authenticated via Facebook. The attack involved chaining together three different vulnerabilities (path manipulation, open redirect, and control over the redirect_uri value), which allowed a malicious actor to gain total control over a victim's Booking account.

Escaping well-configured VSCode extensions (for profit)Vasco Franco from Trail of Bits completes his two-part series research on VSCode extensions by writing how he was able to run JavaScript inside a Webview and read files anywhere in the system. A vulnerability caused by differences in the URL parsing and the reliance on the browser to do path normalization. Vasco also provides some best practices to consider when handling URLs.

GitHub Security Lab audited DataHub: Here's what they foundGitHub's Alvaro Muñoz writes about a security audit performed by GitHub Security Lab on DataHub, an open-source metadata platform that facilitates data discovery, data observability, and federated governance. During the audit, several vulnerabilities were identified in the platform's authentication and authorization modules, which could have allowed an attacker to bypass authentication and access sensitive data stored on the platform.

1. 🥇DungeonSwap — The DeFi project DND Token (DungeonSwap Token) on BSC has been utilised. The initial funds came from TornadoCash, and the attackers stole over 2,400 BNB (approximately $728,000) from Dungeonswap.

2. 🥈LaunchZone — 80% of the funds in the liquidity pool of the DeFi project LaunchZone were suddenly drained, the price of LZ tokens fell by more than 80% from the previous value of around US$0.15 to US$0.026, and the stolen funds were about $700,000.

3. 🥉ArbiSwap — Arbitrum ecological DEX ArbiSwap is suspected of Rug Pull. ArbiSwap deployers minted 1 trillion ARBI before Rug Pull, and then converted ARBI into USDC, which caused a sharp drop in ARBI in the USDC/ARBI transaction pair. In the next block, the robot passed USDC to ARBI then traded ETH for spatial arbitrage, making a profit of 68.47 ETH. ArbiSwap has transferred 84 ETH to the Ethereum mainnet and sent it to TornadoCash.

🎥 Videos

• Securely building and verifying Merkle Trees with Solidity and JS — Ernesto Garcia from OpenZeppelin conducted a workshop on the new library published by OpenZeppelin for verifying and building Merkle trees in Javascript.

• A Deep Dive on StarkNet with Henri Liuetad — Introduction into building on StarkNet. Henri Liuetad talks about StarkNet account model and runtime environment, the evolution of Cairo and Cairo 1.0, and the future of applications that might use StarkNet for privacy preserving applications. 

• VPNs, Proxies and Secure Tunnels Explained — Another video in the series where LiveOverflow tries to explain terms that sounded confusing to him when he started out.

⌨️ Repositories/Tools

• 0xJCN/Ethernaut-CTF — Ethernaut CTF solutions with Ape, Vyper and huff.

• pcaversaccio/Ethereum-Security — A curated list of Ethereum security references, guidance, tools, and more.

• Decompile.tools — Ape Dev has built this tool that allows you to decompile any smart contract using heimdall-rs by Jon Becker.

• jtriley-eth/counter-exploit-toolkit A contract that contains all the logic needed for an upgradeable poxy-based counter exploit.

• fcavallarin/burp-dom-scanner — Burp Suite's extension to scan and crawl Single Page Applications, it can also forward all the requests collected to Burp's Proxy, Repeater and Intruder.

📖 Writeups

• EKO2022 Enter the metaverse CTF Challenge 2: Metaverse Supermarket — Emanuele Ricci provides a detailed walkthrough to solve the Metaverse Supermarket challenge from the EKO2022 CTF. A challenge about oracle price manipulation and bad practices when implementing signature checks.

• EIP-4337 - Ethereum Account Abstraction Incremental Audit — OpenZeppelin has audited the EIP-4337 specification which adds account abstraction functionality to the Ethereum mainnet without modifying the consensus rules.

• yAcademy Proxies Research — A research effort led by engn33r and devtooligan that compiles proxy knowledge with the goal of improving the correctness of proxy implementations and providing a useful resource for security reviews of proxy contracts

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.

Thanks,Sebas@0xroot | @secpillsnews