Security Pills
Posts
Security Pills - Issue 39

Security Pills - Issue 39

Heuristics for smart contracts, Abusing HTTP Hop-by-hop headers, Bitcoin Address Clustering

March 20, 2023

Release Date: 20th March 2023 | Issue: 39 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

SponsorThe compliance automation tool that's making audits fun

Did you know that on average, GRC and IT teams are spending 4,300 hours on compliance tasks per year? Slash the time and resources you're spending achieving and maintaining compliance with G2's highest-rated cloud compliance platform.Automated evidence collection, 24/7 control monitoring, and an auditor-built collaboration hub are just a few reasons why companies like Lemonade, Notion, and Postman trust Drata as their compliance partner.Drata's robust risk management solution, pre-mapped controls, and automated compliance for 14+ frameworks will help you centralize your compliance program and reduce endless back and forth with your auditor and team. Book a demo to start streamlining your audits—and even make them fun… according to customer reviews.

こんにちは 👋,Hope you all had a great weekend!Jetlag and time difference had me doubting, but I made it! Here we are with another issue sharing the latest research and hacks. I apologize for not being able to keep up with the pace of articles that I used to share, but hopefully, you will excuse me for the next couple of weeks!Enjoy today's newsletter!

🔖Articles
- 🛠 Appsec:
  - Harvesting Active Directory credentials via HTTP Request Smuggling | Abusing HTTP hop-by-hop request headers.
- ⛓ Blockchain:
  - Smart Contract Auditing Heuristics | Why you should probable never sort your Merkle tree's leaves | Known problems of ERC-20 token standard | Censorship Resistance | EVM Pt II: The Journey of Smart Contracts from Solidity code to Bytecode | Bitcoin address clustering based on multiple heuristic conditions.
- ☁️ Cloudsec:
  - Pivoting clouds in AWS Organizations Pt.1: Leveraging Account Creation, Trusted Access and Delegated Admin | Lateral movement risks in the cloud and how to prevent them | SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft.
🐛 Vulnerabilities and Bug Bounties
- 🛠 Appsec:
  - Leveraging ssh-keygen for Arbitrary Execution | Attacking .NET Web Services | Unauthorized access to Codespace secrets in Github.
- ⛓ Blockchain:
  - Polynonce: A tale of novel ECDSA attack and bitcoin tears.
🏆 Rekt Leaderboard:
- 🥇 Euler Finance | 🥈 ParaSpace | 🥉 Poolz Finance
🔖 Resources
- 🎥 Videos:
  - How to Foundry 2.0: Brock Elmore | Bug Patterns in Solidity and Smart Contract Auditing.
- ⌨️ Repositories/Tools:
  - Immunefi PoC Templates | pyrometer | token-tester | Cookbook.

🛠 Appsec

Harvesting Active Directory credentials via HTTP Request SmugglingTijme Gommers describes an HTTP Request Smuggling vulnerability that was discovered during one of his engagements. This vulnerability enabled him to harvest Active Directory credentials, which then were used to sign into Outlook Web Access (OWA) and gain access to sensitive data. The article provides detailed steps of how he achieved persistent access to OWA by migrating clients to a rogue man-in-the-middle Exchange server.

Abusing HTTP hop-by-hop request headersNathan Davison suggests diverse methods to manipulate web systems and applications in unforeseen manners through the exploitation of hop-by-hop headers of HTTP/1.1. Typically, the affected systems have several caches/proxies that process requests before they reach the application's backend.

A hop-by-hop header is a header which is designed to be processed and consumed by the proxy currently handling the request, as opposed to an end-to-end header, which is designed to be present in the request all the way through to the end of the request. According to RFC 2612, the HTTP/1.1 spec treats the following headers as hop-by-hop by default: Keep-Alive, Transfer-Encoding, TE, Connection, Trailer, Upgrade, Proxy-Authorization and Proxy-Authenticate. When encountering these headers in a request, a compliant proxy should process or action whatever it is these headers are indicating, and not forward them on to the next hop.

⛓ Blockchain

Smart Contract Auditing HeuristicsRoman Boehr has compiled a list of heuristics to be used when auditing smart contracts or checking for common error patterns.

Why you should probably never sort your Merkle tree's leavesAlin Tomescu discusses the myth of the effectiveness associated with a sorted-leaves Merkle tree scheme and why it is not recommended to sort it:

(1) they are only secure when the tree is correctly-computed (e.g., secure with BFT consensus, but insecure in single-server transparency logs)(2) you cannot efficiently insert or delete leaves(3) they have worse proof sizes.

Known problems of ERC-20 token standardDexaran highlights a lack of transaction handling model affecting the ERC-20 standard. If a user accidentally sends tokens to a DAI contract address by mistake, the contract will receive the tokens when it should not. Dexaran provides a thorough technical description of the ERC-20 standard and a solution to this problem that has already caused the loss of $11 million tokens.

Censorship ResistanceIbrahim Yusufali thoughts on censorship resistance:

Optimistically, censorship resistance should push regulation to stop holding consensus participating nodes responsible for enforcing sanctions and regulations, as inclusion lists would leave these parties without any other option. However, if the censoring jurisdictions were to take a harder stance and ban these validators, this could result in these nodes being pushed out. This would adversely affect the validator set, and could even result in a continuous hide and seek between nodes and censoring jurisdictions as more of them start regulating, which would be extremely detrimental to the future of the network.

EVM Part II: The Journey of Smart Contracts from Solidity code to BytecodeZaryab Afser's detailed walkthrough on the Ethereum Virtual Machine (EVM) continues with this article, which offers a comprehensive explanation of the entire life cycle of a smart contract. In addition to covering the development, deployment, initialization, and execution of a contract, the article also delves into concepts such as runtime bytecode, free memory pointer, and specific opcodes, providing a deeper understanding of the EVM.

Bitcoin address clustering method based on multiple heuristic conditionsPaper that reviews and summarises six heuristic algorithms for address clustering and entity relationship analysis.

Single heuristic method and incomplete heuristic conditions were difficult to cluster a large number of addresses comprehensively and accurately. Therefore, this paper analysed the associations between Bitcoin transactions and addresses and used six heuristic conditions to cluster addresses and entities.

Our work presented the pseudo-anonymity mechanism of the Bitcoin system, which could be used by the law enforcement agencies to track and crack down illegal transactions.

☁️ CloudSec

Pivoting clouds in AWS Organizations Pt. I: Leveraging Account Creation, Trusted Access and Delegated AdminNetSpi's Scott Weston uses his experience obtained from AWS security assessments to describe several key points of AWS Organizations theory and demonstrate exploitable opportunities in existing AWS solutions with a practical approach.

Lateral movement risks in the cloud and how to prevent them – Pt 3: from compromised cloud resource to Kubernetes cluster takeoverWiz's Lior Sonntag analyzes different lateral movement techniques used by attackers to pivot from cloud environments to managed Kubernetes clusters, including IAM cloud keys, kubeconfig files, and container registry images. Lior also shares three recommended best practices to mitiget the risk of a lateral movement attack: Avoid storing long-term cloud keys in workloads, remove kubeconfig files from exposed workloads, and restrict access to container registries.

SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theftSysdig’s Alberto Pellitteri explains how a sophisticated cloud attack took place, in which the attacker exploited a containerized workload to gain elevated privileges and infiltrate an AWS account to steal proprietary software and access credentials. The attacker also attempted to pivot using a Terraform state file to target other connected AWS accounts and achieve a broader access.

🛠 Appsec

Leveraging ssh-keygen for Arbitrary Execution (and Privilege Escalation)Sean Pesce writes about how the 'ssh-keygen' command can be used to load a shared library using the -D flag, and how this feature can be exploited for offensive security purposes to achieve privilege escalation.

Attacking .NET Web ServicesSecurifera's Ryan Wincey writes about some vulnerabilities identified in the Syngo Dynamics application and the approach he uses when performing white-box vulnerability research on a .NET web application.

Unauthorized access to Codespace secrets in GitHubOphion Security identified a security issue affecting the GitHub's Repository Security Advisory feature, which could be used to retrieve plaintext Codespace secrets of any organization, including GitHub.

⛓Blockchain

Polynonce: A tale of a novel ECDSA attack and bitcoin tearsKudelski's Nils Amiet explains a novel attack against ECDSA and how it was applied to the Bitcoin and Ethereum networks. Surprisingly they found evidence that someone had previously attacked vulnerable wallets with a different exploit and drained their funds. The article covers the research performed along with the findings and difficulties encountered throughout the process.

Sponsor

Too Many Developers With Production Access?

Consider an attacker who obtained one of your developer’s credentials; what access would they have? By making permanent access temporary, you can significantly reduce the attack surface for many security-breach scenarios. That’s where just-in-time access comes in.Learn Why Your Team Should be Using Just-in-Time Access

🥇Euler Finance — On March 23, 2023, Euler Finance was exploited in a series of transactions, resulting in a total loss of approximately $200 million.
🥈ParaSpace — On March 17, 2023, the BlockSec team identified and stopped an attack on the ParaSpace NFT project, rescuing 2900 ETH (~$5.2 million) and minimising the potential loss. The ParaSpace published a tweet with some additional details.
🥉Poolz Finance — On March 15, 2023, Poolz Finance was exploited on Ethereum, Polygon, and BNB Chain, resulting in a total loss of approximately $550,000.

🎥 Videos

How to Foundry 2.0: Brock Elmore — An overview of Foundry with Brock Elmore, covering various topics such as basic tests in Foundry, cheat code traces, fuzz testing, advanced cheat codes, and new features, among others
Bug Patterns in Solidity and Smart Contract Auditing — Yannis Smaragdakis talks about the tooling and some Solidity patterns that have been been useful during the discovery of high-value vulnerabilities.

⌨️ Repositories/Tools

immunefi/Immunefi PoC Templates — Collaborative repository that aims to provide reusable and easily modifiable PoC examples for a variety of EVM based vulnerabilities.
nascentxyz/pyrometer — A tool for analyzing the security and parameters of a solidity smart contract.
token-tester — Discover potential vulnerabilities and incompatibilities when interfacing with generic ERC20s.
Cookbook — Find smart contracts, solidity libraries, and discover protocols.

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.

Thanks,Sebas@0xroot | @secpillsnews