Security Pills - Issue 38

Release Date: 13th March 2023 | Issue: 38 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

Hi there 👋,Hope you all had a great weekend!It's been quiet over here as I finish up some work before enjoying my vacation in 🇯🇵.There are many interesting research articles this week. I've noticed that Yul and Huff are becoming popular trends in the blockchain space, which is not surprising considering the growing interest in reverse engineering smart contracts. It will be interesting to see if this leads to new job opportunities in the coming months.

Don't forget to check our resource section, the videos for ETHDenver, ETHGathering, and Troopers have been released, with fascinating appsec and blockchain security-related talks. I highly recommend watching them!

As always, if you haven't already, make yourself a cup of coffee, find a cozy spot, and let's get into this week's newsletter! 🚀

🛠 Appsec

OWASP Low-Code/No-Code Top 10Michael Bargury, Ory Segal and Don Willits have prepared a document that details the most prominent security risks targeting Low-Code/No-Code applications, the challenges involved, and how to overcome them:

The dangers of setattr: Avoiding Mass Assignment vulnerabilities in PythonJack Hair from Snyk has examined the potential risks associated with Python's setattr() function, which may lead to mass assignment vulnerabilities and result in undesired application behaviour or a denial of service. This vulnerability was the cause of the authentication vulnerability on GitHub, where a user added their public key to the Rails organization's GitHub and then pushed a new commit to demonstrate the vulnerability.

In this article, Jack provides some strategies to mitigate this type of issue such as validating user input or creating Data Transfer Objects (DTOs) to separate objects containing user input from those responsible for the internal application logic.

New headless Chrome has been released and has a near-perfect browser fingerprintAntoine Vastel from DataDome has analyzed the latest headless Chrome release and its potential effects on bot detection engines, particularly those relying on browser fingerprint signals. He compares the fingerprints of the new and old versions of headless Chrome, highlighting differences that malicious actors may exploit.

Passive Takeover - Uncovering an expensive subdomain takeover campaignKieran investigates an expensive subdomain takeover campaign that targeted around 650 IPs running in AWS Elastic IP address space. What makes this campaign unusual is that EC2 IP addresses are randomly assigned, making it an inefficient and expensive process to spin EC2 instances until hitting the jackpot. Intrigued by how successful a campaign like this would be, Kieran emulated the actor's operation by launching his own passive takeover attack using a less expensive and more effective approach. The results of his experiment underscored the risk of cloud development and the importance of tracking dangling assets.

⛓ Blockchain

Overview of the Inflation AttackMixBytes' Konstantin Nekrasov delves into the inflation attack, a widespread problem that targets the ERC-4626 standard. In this attack, bad actors can manipulate empty ERC-4626 vaults to inflate the price of a share and cause depositors to lose their deposits due to rounding in favor of the vault. To demonstrate this vulnerability, Konstantin analyses different examples while discussing some approaches to mitigate this issue.

EVM Part I: The ABCs of Ethereum Virtual MachineZaryab Afser provides a detailed walkthrough insights into the architecture and core components of the Ethereum Virtual Machine (EVM), as well as its internal workings. The article is a useful resource for those seeking to gain a better understanding of the EVM's technical aspects.

Understanding the Impact of Airdrops on NFT Marketplace PerformanceThe NFT marketplace has experienced a series of airdrops over the past year, but the success of these airdrops has been called into question. Upon closer examination of a few collections, it was revealed that major sell-offs occurred after the airdrop and user activity decreased significantly. In some cases, a small group manipulated overall hype and volume. An interesting analysis of the history of airdrops and their impact on marketplace performance.

🧰 SAST

Practical Introduction to CodeQLJorge Rosillo breaks down the fundamental concepts of CodeQL and explains how to develop queries for detecting regular expressions and LDAP injections.

Under the hood of SAST: how code analysis tools look for security flawsPVS Studio's Sergey Vasiliev provides an overview of how SAST tools process source code internally, as well as some techniques used to achieve better code coverage and identify vulnerabilities.

A Deeper Look at Modern SAST ToolsJoe Rozner writes some thoughts on why CodeQL and Semgrep should be seen as complementary tools, despite being quite different from each other. Joe outlines some of the similarities and differences between each tool, showing where their strengths and weaknesses lie.

🛠 Appsec

Abusing Hop-by-Hop Header to Chain a CRLF Injection VulnerabilitySimon Bräuer explores a Carriage Return and Line Feed (CRLF) vulnerability in the Location header of an HTTP response. This vulnerability could be used to perform an open redirect or set certain cookies. However, as Simon points out, it is necessary to remove the Location header to control the body of the HTTP response. By setting the hop-by-hop header Connection in the response to Connection: Location, close he indicates to the proxy to remove the Location header from the request before passing it on. Simon exploits this vulnerability by chaining it with a simple XSS and forcing the client to consume the response.

CorePlague: Severe Vulnerabilities in Jenkins Server Lead to RCEResearchers from Aqua Nautilus have discovered a chain of vulnerabilities, which could allow an unauthenticated attacker to execute arbitrary code on a Jenkins server, leading to a complete compromise of the server and its underlying infrastructure. The vulnerabilities could be exploited even if the server is not directly reachable by attackers, affecting also self-hosted Jenkins instances.

EJS - Server Side Prototype Pollution gadgets to RCEKevin Mizu conducted a research on NodeJS templating libraries and discovered how a Server Side Prototype Pollution vulnerability in the EJS library could be turned into a RCE.

⛓Blockchain

How Your NFTs Could Have Been Stolen in Just One ClickPermasecure's Eduardo Nuri explains how a feature in NFTs that allows the creation of dynamic NFTs with Javascript could be exploited by attackers to steal all of a user's assets with a single click. The attack vector is quite interesting:

• Despite documentation stating otherwise, an attacker could invoke the Chrome wallet extension from an iframe element by using the sandbox='allow-scripts' feature.

• The wallet utilised a postMessage listener to receive messages and prompt the user to sign a specific message.

• The postMessage event generated from the malicious iframe showed the original top domain rather than the malicious one.

• By exploiting these misconfigurations, an attacker could trick a user into signing a malicious message to obtain a valid JWT bearer token, ultimately leading to a takeover of the user's account in just one click.

Algorand Thefts - Preliminary Advisory ReportAn update on the hack that is affecting Algorand and has caused the loss of at least $9.2 million worth of assets. The causes are still unclear, but the team is considering two scenarios as the most probable:

• Individuals affected had their seed phrase compromised through social engineering or phishing.

• A compromise in MyAlgo.com led to the targeted exfiltration of unencrypted private keys.

1. 🥇TenderFi — A decimal error caused the contract to return the price of GMX with 38 decimal places instead of 18. This misstatement of the price of GMX allowed the borrower to use 1 GMX as sufficient collateral to borrow $1.59 million worth of assets. The Tender offered a bounty to the borrower, who returned the funds minus a bounty of ~62 ETH.

2. 🥈Hedera — Attackers exploited the smart contract service code of the Hedera mainnet to transfer Hedera Token Service tokens held by victim's accounts to their account. The attacker’s alleged addresses contain a total of around $515k worth of assets.

3. 🥉Phoenix — On March 7th a reflection attack was exploited on Phoenix Finance causing a loss of 100k USDC

🎥 Videos

• $100,000 in Bug Bounty by learning smart contract auditing from Code4rena reports — Patrick Ventuzelo reviews the paper 'Demystifying Exploitable Bugs in Smart Contracts" and shares his thoughts on the methodology developed by the researchers.

• ETHDenver 2023 and ETHGathering talks were published

• WEareTROOPERS 2022 —The final batch of videos have been released, a total of 33 talks divided into four tracks. Here are few offensive and defensive related ones

⌨️ Repositories/Tools

• Philogy/sussy-huff-ctf — CTF challenge built by Philippe Dumonet. A simple but vulnerable on-chain order-book DEX using Huff.

• zkoranges/zkPoEX — zkPoEX allows auditors to safely generate a zero-knowledge proof of exploit without revealing the actual exploit, so auditors can prove that they know of a transaction that can produce an undesirable change of state in certain contracts, without revealing the specifics of the exploit.

• Bearer/bearer — Bearer is a static application security testing (SAST) tool that scans your source code and analyzes your data flows to discover, filter and prioritize security risks and vulnerabilities leading to sensitive data exposures (PII, PHI, PD).

📖 Writeups

• Solving the Ethernaut with Yul — teddav deeps dive into advanced assembly techniques to solve the Ethenaut challenges from OpenZeppelin while using Yul and Foundry. The article is meant to be read along with the solutions provided in the Ethernaut-yul repository.

• Playing with Yul (Assembly) — teddav writes an entire contract using Yul while explaining how the EVM works at a low level ('free memory pointer', mappings and non-value types).

• Coinbase CTF for ETHDenver 2023 Riddle Bounty — Walkthrough provided by Emanuele Ricci. A CTF focused on hashing functions and best practices on how signatures should be implemented in a smart contract.

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.

Thanks,Sebas@0xroot | @secpillsnews