Security Pills - Issue 4

Release Date: 18 Jul 2022 | Issue: 4 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

Hey there, 👋,Hope you had a great weekend!You can find us now at securitypills.news, and our new website and blog should be ready soon!I've also been thinking around an idea to add some valuable content to the newsletter, but would like first to get your feedback:

— Sebas

Your weekly prescription 💊

News

Cryptocurrency sent to mixers reaches an all-time high thanks to illicit activityChainalysis researchers have seen an increase in illicit cryptocurrency moving to mixers. The report explains that significant amounts of cryptocurrencies sent to mixers come from sanctioned entities, most of which are connected to actors based in Russia and

North Korean hackers have been accused of leading a wave of attacks on cryptocurrency platforms and have been caught laundering significant tranches of funds through mixers.

Chainalysis said Russian darknet market Hydra, which was sanctioned in April 2022, led the way in their data set, accounting for 50% of all funds moving to mixers from sanctioned entities this year.

Chinese police exposed 1 billion people's data in unprecedented leakAttackers have grabbed data of almost 1 billion Chinese citizens from a Shanghai police database and attempted to extort the department for about $200,000. The trove of data contains names, phone numbers, government ID numbers, and police reports.

The scale of the breach is immense and it is the first of this size to hit the Chinese government, which is notorious for hoarding massive amounts of data, not only about its own citizens, but about people all over the world. China was memorably responsible for the United States Office of Personnel Management breach and Equifax credit bureau breach, among many others worldwide.

Articles

Abusing Azure hybrid workers for privilege escalation #azure #privescThe NetSPI team published few months ago a blog post where they detailed a privilege escalation scenario by abusing Azure hybrid workers. In this second article, the dig a little deeper and explain how they used an undocumented internal API to poll information about the Automation Account. The issues identified could allow any Azure user with the Subscription Reader role to dump saved credentials and certificates from Automation Accounts, allowing a privilege escalation.

Introducing Pretender - Your new sidekick for relaying attacks #red-teamRedTeam Pentesting has released another open-source tool to obtain a machine-in-the-middle position inside Windows networks by implementing local name resolution spoofing using the mDNS, LLMNR, and NetBIOS-NS protocols as well as a DHCPv6 DNS takeover attack.

Can a project have access to a user's NFT after mint? #nft #smart-contractA popular NFT project called 'The Saudis' started their free mint campaign where whitelisted users could mint their NFTs for free. However, a user found a security issue and dumped an important quantity of NFT into the market shortly after the mint event finished. The team behind the NFT project were able to lock the user's account and modify the contract to remove a sizable number of NFTs from the user's control and return the affected NFTs back to the community.The article explores the EIP-2535 protocol (diamond protocol) and how it was used by the team to modify the contract's functionalities.

Decompiler Explorer #reverse-engineeringBinary Ninja has published an internal tool in the form of web service that lets you compare the output of different compilers on small executables. Among the decompilers you can find angr, BinaryNinja, Ghidra or Hex-Rays. They also. have released the entire project as open source on GitHub.

Researching access tokens for fun and knowledge #azureRindert Kramer dives into JSON Web Tokens, Azure Key Vaults and compound identities, exploring JWT's without the managed identity feature.

How Did MetaMask Come To Life? The Origin Story, Revealed #smart-contract #metamaskDan Finlay and Aaron Davis, founders of MetaMask gave their first interview together on the origins behind the company.

Attacking Active Directory: 0 to 0.9 #active-directoryI recently found this article describing how attackers approach Active Directory (AD) instances, reviewing the different aspects of AD and those terms that every pentester should control in order to understand the attacks that can be performed.

Heap Overflows on iOS ARM64: Heap Grooming, Use-After-Free #mobile #iOS #exploitingThe third part of this series discusses heap overflows and exploiting use-after-free (UAF) bugs and how they can be used to achieve greater impact. The author has also published a first part on how to reverse engineer and patch an iOS application, and how to reverse engineer and exploit and iOS binary through ARM64 ROP chains.

Hey, if this email was forwarded to you, or if you are coming from any other social media and have enjoyed our content, maybe you can support us by subscribing to our newsletter and forwarding this email.

Vulnerabilities and Bug Bounties

Exploiting Arbitrary Object Instantiations in PHP without Custom ClassesThe article explores unauthenticated arbitrary object instantiation vulnerabilities in LAM (LDAP Account Manager). PHP's arbitrary object instantiation are vulnerabilities in which an attacker can create arbitrary object, achieving remote code execution.

Remote Code Execution via Prototype Pollution in Blitz.jsDuring the past few years I've been hearing about prototype pollution vulnerabilities affecting JavaScript libraries but could not identify a detailed proof of concept to shown the full potential of this type of vulnerability. The article precisely describes a prototype pollution vulnerability (CVE-2022-23631) in the serialization library superjson used in the RPC layer of Blitz.js. It leads to Remote Code Execution on the server, which an unauthenticated attacker can exploit it over the internet.

Two Novel Crypto Wallet ExploitsBack in June, Unciphered unveiled three novel exploits impacting crypto wallets Electrum Bitcoin Wallet, Trezor One and Ethereumwallet.com. Unciphered demonstrated a vulnerability in the form of an adversarial QR code targeting Electrum wallets running on Windows 10, which facilitated authenticated token capture, allowing an attacker to access a compromised wallet and all crypto currencies contained therein.Additionally, they also demonstrated a bruteforce attack affecting Trezor One wallets where their team successfully set the world record for the fastest time to crack a new and fully patched Trezor one in just under 30 minutes.

How to Steal $100M from Flawless Smart ContractsA vulnerability in the Moonbeam network through a misuse of delegate calls awarded pwning.eth a $1M reward and $50k bonus.

We hacked Larksuite for 1 month and here is what we foundSnapsec targeted Lark Technologies during a month identifying 14 different vulnerabilities ranging from cross-site scripting to privilege escalation. This article summarizes the approach they took and the technical details on the vulnerabilities that were identified.

Resources

🎥 Videos

1. AssetNote: Bug Bounty Redacted #5 — The fifth episode of Bug Bounty Redacted is out, this time explaining a subdomain takeover & a logic bug leading to DoS.

2. PwnFunction: How to Predict Random Numbers — In this episode PwnFunction will break the Math.random method in JavasScript with z3.

3. Nahamsec: Attack Surface Management Series #1: Certificate Transparency 

4. IppSec: HackTheBox - Acute

5. How to write a BANGER blogpost with STOK — So you did some awesome research, wrote a pretty epic write-up and now you want to share the results with the world! Time to hack the Google algorithm! In this session Hacker/Creative STÖK will guide you through the do's and don'ts of search engine optimization, the importance of a personal brand and how to maximize your views. Welcome to content creation for security professionals!

⌨️ Repositories

1. deepce — Docker enumeration, escalation of privileges and container escapes.

2. deploy-goad — Script to deploy GOAD, a pentest active directory lab project to use to practice usual attack techniques.

3. GraphCrawler — Automated testing tool for any GraphQL endpoint.

4. thoth — A Cairo/starknet bytecode disassembler

🎙️ Podcasts

1. Malicious Life - Silk Road: The Amazon of drugs — Ross Ulbricht always had a thing with testing his limits, and so, in 2010, he came up with the idea to build a truly free market: a website where anybody could buy and sell anything - including illegal drugs - anonymously: the ultimate experiment in individual freedom.

2. Risky Businnes #671: The case for an American-owned NSO group — Why an American defence contractor acquiring NSO group would be a nonproliferation win and much more.

📧 Wrapping up

If you enjoyed this newsletter and think others would too, it would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.

Thanks,Sebas@0xroot | @secpillsnews

If you liked this newsletter from Security Pills Newsletters, why not share it?