Security Pills - Issue 37

Reusable properties for Ethereum contracts, GitHub Security Lab audited DataHub, Demystifying Exploitable Bugs in Smart Contracts

Release Date: 6th March 2023 | Issue: 37 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

SponsorThe compliance automation tool that's making audits fun

Did you know that on average, GRC and IT teams are spending 4,300 hours on compliance tasks per year? Slash the time and resources you're spending achieving and maintaining compliance with G2's highest-rated cloud compliance platform.

Automated evidence collection, 24/7 control monitoring, and an auditor-built collaboration hub are just a few reasons why companies like Lemonade, Notion, and Postman trust Drata as their compliance partner.

Drata's robust risk management solution, pre-mapped controls, and automated compliance for 14+ frameworks will help you centralize your compliance program and reduce endless back and forth with your auditor and team. Book a demo to start streamlining your auditsβ€”and even make them fun… according to customer reviews.

Hi there πŸ‘‹,Hope you all had a great weekend!I have made some minor changes in the structure of the newsletter that I hope eases the reading of the articles and helps you better find what's of interest to you. Whatever it takes to maintain the quality of the newsletter... even if that means spending 30 minutes deciding which emoji best fits an article, being terrible at writing tweets under 280 characters, or fine-tune GPT-3 to act as a security expert and write this Security Pills for me... The life of a newsletter operator (someone called me that) can be overwhelming and stressful πŸ’…πŸΌ. Just kidding!Anyways, I hope you enjoy today's issue; there are plenty of cool topics by super smart people and incredible security vulnerabilities. As we always say, grab yourself a cup of coffee, find a cozy spot, and let's get into today's newsletter! πŸš€

  • πŸ”–Articles 

    • πŸ›  Appsec:  

      • Subdomain Reputation: Detecting Malicious Subdomains of Public Apex Domains | The security concerns of a JS sandbox with the Node.js Vm module | How to intercept, observe & mock WebRTC traffic

    • β›“ Blockchain:  

      • Reusable properties for Ethereum contracts | Is there Any Wash Trading in Centralized Exchanges? | Solidity and EVM: Bit Shifting and Masking in Assembly | An introduction to zero-knowledge machine learning (ZKLM) | Smart Contract Obfuscation Techniques | Cross-chain re-entrancy | Demystifying Exploitable Bugs in Smart Contacts

    • πŸ€– Machine Learning:

      • AI applications open new security vulnerabilities | Mitre - Atlas Case Studies

  • πŸ› Vulnerabilities and Bug Bounties  

    • πŸ›  Appsec:  

      • Gitpod RCE 0-day vulnerability via WebSockets | A New Vector for "Dirty" Arbitrary File Write to RCE | Empowering weak primitives: file truncations to code execution with Git | Traveling with OAuth - ATO on Booking.com | Escaping well-configured VSCode extensions | GitHub Security Lab audited DataHub

  • πŸ† Rekt Leaderboard: 

    • πŸ₯‡DungeonSwap | πŸ₯ˆLaunchZone | πŸ₯‰Arbiswap

  • Resources:

    • πŸŽ₯ Videos:

      • Securely building and verifying Merkle Trees with Solidity and JS | A Deep Dive on StarkNet with Henri Liuetad | VPNs, Proxies, and Secure Tunnels Explained

    • ⌨️ Repositories/Tools:

      • Ethernaut-CTF | Ethereum-Security | Decompile.tools | counter-exploit-toolkit | burp-dom-scanner

    • πŸ“– Writeups:

      • EKO2022 CTF Challenge 2: Metaverse Supermarket | EIP-4337 - Ethereum Account Abstraction Incremental Audit | yAcademy Proxies Research

πŸ›  Appsec

Subdomain Reputation: Detecting Malicious Subdomains of Public Apex Domains Rebekah Houser and Daiping Liu from Unit42 discuss the unique challenges involved in detecting which subdomains of public apex domains are malicious, as traditional approaches may not work or may require adjustments. The article explores Palo Alto's approach to this problem and how it has proven effective in detecting two phishing campaigns.

The security concerns of a JavaScript sandbox with the Node.js VM moduleSnyk's Liran Tal writes about the Node.js VM module. This module is used by developers to compile and run dynamically provided code within V8 Virtual Machine contexts. Liran explores scenarios in which an attacker could provide insecure code, achieving remote code execution and putting the entire application platform at risk.

How to intercept, observe & mock WebRTC trafficHTTPToolkit's Tim Perry writes about the challenges of intercepting WebRTC traffic. WebRTC encrypts all traffic using P2P negotiated certificates for authentication, without PKI. To address this complexity, Perry introduces MockRTC, a framework that provides the necessary foundations for automatically intercepting, inspecting, and mocking WebRTC traffic, making it useful for testing, debugging, and MitM proxying. Furthermore, Perry offers a detailed explanation of WebRTC's low-level functionality and practical use cases for MockRTC.

β›“ Blockchain

Reusable properties for Ethereum contractsTrail of Bits is releasing a set of 168 pre-built properties that can be used to guide Echidna or be directly incorporated into unit tests. The goal of these properties is to detect vulnerabilities or deviations from expected results and provide guidance to developers when writing invariants.

Is There Any Wash Trading in Centralized Exchanges?X-explore discusses the lack of regulation on centralised exchanges (CEXs) and how they often engage in wash trading to inflate their trading volumes and improve their rankings. The author uses various trade volume analysis methods to identify and elaborate on the extent of fake trading volumes.

Screenshot 2023-03-04 at 12 43 54

Solidity and EVM: Bit Shifting and Masking in Assembly (YUL)0xWeiss provides an introduction to bit shifting and how it is used for efficient manipulation of binary data. Using different examples, we will learn how bit shifting can be used to access or write variables that are packed and how bitmasking is used for bitwise operations.

An introduction to zero-knowledge machine learning (ZKLM)The Worldcoin team discusses how AI/ML-generated content is becoming increasingly difficult to differentiate from content created by humans. They propose utilising zero-knowledge cryptography as a means of verifying whether a given output was created by a large language model, such as ChatGPT, a text-to-image model like DALL-E 2, or any other model for which a knowledge circuit representation is available. The article also delves into potential use cases where ZKML could be used, such as fraud detection, computational integrity or ML as a Service (MLaaS), among others.

Smart Contract Obfuscation TechniquesDeGatchi writes about bytecode obfuscation, one of the many challenges he has faced while building a bytecode decoder. Degatchi provides a deep dive on different techniques to protect the logic implemented within your contract, such as packing all function locators into a single PUSH32, scrambling calldata decoders, or using address obfuscation to avoid frontrunners from cloning your contract and to deter reverse engineers from analyzing your contract's bytecode.

Cross-chain re-entrancyMateo Cesaroni explores attack vectors that may arise when multiple contracts with different instances are deployed in a cross-chain protocol. To demonstrate the risks introduced by this new paradigm, Mateo creates a cross-chain contract vulnerable to a re-entrancy attack and provides a detailed walkthrough on how to exploit and mitigate this vulnerability.

Demystifying Exploitable Bugs in Smart ContractsA research study conducted by Zhuo Zhang, Brian Zhang, Wen Xu, and Zhiqiang Lin to investigate 516 unique smart contract vulnerabilities and determine how many of these vulnerabilities go unnoticed by existing analysis tools. The study categorises these bugs into seven types based on their root causes, complexities, and potential mitigations. The paper also provides a bug model designed to facilitate the discovery of these vulnerabilities and enable their potential automation.

πŸ€– Machine Learning

AI applications open new security vulnerabilitiesTaimur Ijlal discusses the challenges associated with securing AI and machine learning systems in sensitive industries. Because these systems often have access to sensitive training data, they are attractive targets for attackers. As a result, a new type of attack is emerging that specifically targets the workings of machine learning applications. Taimur explores some of the most common attacks, such as inference, evasion, and poisoning, and offers insights into how we can strengthen our machine learning applications to better defend against them.

MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems)Knowledge base of adversary tactics, techniques, and case studies for machine learning (ML) systems based on real-world observations, demonstrations from ML red teams and security groups.

πŸ›  Appsec

A New Vector For β€œDirty” Arbitrary File Write to RCEDoyensec's Maxence Schmitt and Lorenzo Stella explore a new uWSGI-based technique to escalate from arbitrary file write (AFW) vulnerabilities in application uploads to remote code execution (RCE). In this technique, the researchers abuse a lax parsing of configuration files (.ini) by crafting a polymorphic, syntactically valid PDF file containing a valid multi-lined .ini configuration file. Using the exec uWSGI scheme to read from a process's standard output, the researchers were able to weaponize a .ini configuration file and achieve remote command execution.

Gitpod remote code execution 0-day vulnerability via WebSocketsSnyk's Elliot Ward has written about a research project conducted on Gitpod, a cloud-based development environment (CDE). The research uncovered a vulnerability that allowed for a full workspace takeover on the Gitpod platform which could then be extended to the user's source code management (SCM) account. Using a combination of different JSONRPC methods, Elliot was able to create a payload which granted him complete control over a user's workspace when the user visited a particular link

Empowering weak primitives: file truncation to code execution with GitSonarSource Thomas Chauchefoin discovered a clever technique to truncate files in a GitHub repository, which can lead to Remote Code Execution (RCE) via the 'git blame' command. In this article, Thomas will walk us through this technique and demonstrate how it can be successfully exploited using a vulnerable challenge.

Traveling with OAuth - Account Takeover on Booking.comSalt Labs' Aviad Carmel describes how he was able to take over any account on Booking.com that was authenticated via Facebook. The attack involved chaining together three different vulnerabilities (path manipulation, open redirect, and control over the redirect_uri value), which allowed a malicious actor to gain total control over a victim's Booking account.

Escaping well-configured VSCode extensions (for profit)Vasco Franco from Trail of Bits completes his two-part series research on VSCode extensions by writing how he was able to run JavaScript inside a Webview and read files anywhere in the system. A vulnerability caused by differences in the URL parsing and the reliance on the browser to do path normalization. Vasco also provides some best practices to consider when handling URLs.

GitHub Security Lab audited DataHub: Here's what they foundGitHub's Alvaro MuΓ±oz writes about a security audit performed by GitHub Security Lab on DataHub, an open-source metadata platform that facilitates data discovery, data observability, and federated governance. During the audit, several vulnerabilities were identified in the platform's authentication and authorization modules, which could have allowed an attacker to bypass authentication and access sensitive data stored on the platform.

Sponsor

Sym: Just-in-Time Access to Protect Cloud Infrastructure

Least privilege in the cloud is hard, but it can be made tractable by taking a risk-based approach. Consider an attacker who obtained one of your developer’s credentials; what access would they have? By adding a temporal dimension to developer access policies, the attack surface for many security-breach scenarios can be significantly reduced. That’s where just-in-time access comes in.

  1. πŸ₯‡DungeonSwap β€” The DeFi project DND Token (DungeonSwap Token) on BSC has been utilised. The initial funds came from TornadoCash, and the attackers stole over 2,400 BNB (approximately $728,000) from Dungeonswap.

  2. πŸ₯ˆLaunchZone β€” 80% of the funds in the liquidity pool of the DeFi project LaunchZone were suddenly drained, the price of LZ tokens fell by more than 80% from the previous value of around US$0.15 to US$0.026, and the stolen funds were about $700,000.

  3. πŸ₯‰ArbiSwap β€” Arbitrum ecological DEX ArbiSwap is suspected of Rug Pull. ArbiSwap deployers minted 1 trillion ARBI before Rug Pull, and then converted ARBI into USDC, which caused a sharp drop in ARBI in the USDC/ARBI transaction pair. In the next block, the robot passed USDC to ARBI then traded ETH for spatial arbitrage, making a profit of 68.47 ETH. ArbiSwap has transferred 84 ETH to the Ethereum mainnet and sent it to TornadoCash.

πŸŽ₯ Videos

⌨️ Repositories/Tools

πŸ“– Writeups

πŸ“§ Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.

Thanks,Sebas@0xroot | @secpillsnews