Security Pills - Issue 41

Release Date: 3rd April 2023 | Issue: 41 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

Hi there 👋,Hope you all had a great weekend!These last couple of days have been crazy as I get back from vacations and start with my routine, but I have a huge milestone to share with you all today! We are about to pass 1,000 subscribers. When I first started the newsletter, I didn't have a clear goal on how many subscribers I wanted to gain during this first year, but I couldn't be happier to have such a great community backing up our work every single week. So, thank you everyone for your support!As always, if you haven't already, make yourself a cup of coffee, find a cozy spot, and let's get into this week's newsletter! 🚀 

🛠 Appsec

Reconnaissance 104: Expanded ScanningProjectDiscovery continues its blog series on reconnaissance. This article expands on the tools and techniques used for template-based scanning, crawling, directory enumeration, and subdomain takeover

Exploiting Prototype Pollution in node without the filesystemPortSwigger's Gareth Heyes introduces a new exploitation technique for Server-Side Prototype Pollution. The article explains how the '--import' command line option can execute arbitrary code without requiring a local file.

⛓ Blockchain

Here comes Decipher EVM Puzzles game for all Smart Contract DevsZaryab Afser has created the Decipher EVM Puzzles game, an extended version of Franco's EVM puzzles with additional complexity and different puzzles covering a wide range of opcodes.

Breaking Pedersen Hashes in PracticeNCC's Paul Bottinelli explores the Pedersen hash function (used in zero-knowledge proof systems due to its efficiency in arithmetic circuits) and shows how its security properties can be broken when requirements are not met.

The Most Comprehensive Research Article on zkEVMLouround and expctchaos have published the most complete research report on Polygon zkEVM, covering a wide range of topics such as:

• Introduction to scaling, rollups and zkEVM

• Deep-Dive into zk-Rollups

• Overview of the (zk-)EVM Rollup Space

• Tokenomics

Fuel VM Binary Analysisjtriley provides a technical deep dive into the Fuel Virtual Machine (FuelVM), a novel 64-bit register machine for smart contract execution. The article explains the structure used in its executables and how they behave while peeking into their intermediate representation and human-readable assembly in Sway.

Everything You Wanted to Know About Symbolic Execution for Ethereum Smart Contracts Palina Tolmach writes an introduction to symbolic execution and how it can be used to find issues that may go unnoticed by other tools and techniques. The article explores the existing bytecode-level symbolic execution tools available for Ethereum smart contracts, highlighting their strengths and limitations through different examples.

⚙️ Fuzzing

The Blitz Tutorial Lab on Fuzzing with AFL++Check Point Research team has prepared a fuzzing lab with four different challenges using an old version of C's libtiff library as a fuzzing target. The lab format consists of a series of exercises where every possible bit of boilerplate has already been filled in, and the reader must only complete the load-bearing logic. A complete solution is also available, which can be compiled, run, and seen to achieve the desired effect.

Fuzzing 101 with libAFLBen Risher's series of articles on how to fuzz different libraries and binaries (libTIFF, libXML2, libExif, Xpdf, and tcpdump) with LibAFL while using the challenges from the Fuzzing101 repository meant to teach the basics of fuzzing and how to find vulnerabilities in real software projects.

How to Fuzz JavaScript with Jest and Jazzer.jsCode Intelligence's Khaled Yakdan writes on how to create fuzz tests with Jazzer.js using standard Jest syntax and discusses advanced topics to make your fuzz tests more effective and easier to write.

Fuzzing Golang msgpack for fun and panicMatt Schwager from Red Canary fuzzed Golang MessagePack implementation, discovering a denial of service (DoS) vulnerability. This article provides a basic introduction to the concept of fuzzing and a technical walkthrough of the vulnerability discovered.

🛠 Appsec

Hacking AI: System and Cloud Takeover via MLflow ExploitProtect AI tested the security of MLflow and found a combined Local File Inclusion/Remote File Inclusion vulnerability which can lead to a complete system or cloud provider takeover

The curl quirk that exposed Burp Suite & Google ChromePort Swigger's James Kettle writes about the little-known 'data-binary' feature available in curl, which led to a local-file disclosure vulnerability in both Burp Suite Pro and Google Chrome.

BingBang: AAD misconfiguration led to Bing.com results manipulation and account takeoverWiz's Hillai Ben-Sasson found a common misconfiguration in Azure Active Directory that compromised multiple Microsoft applications, including a Bing management portal. Hillai was able to not only modify search results but also launch a high-impact XSS attack on Bing users, making it possible to compromise user's personal data, including Outlook emails and SharePoint documents.

⛓Blockchain

The Liquid Global HackTechnical report on the hack suffered by Liquid Global back in September 2021 were $91 million worth of assets were stolen. An interesting research on the use of several custodial tumblers in the attempted laundering of large volume exchange hacks.

Tranchess Liquid Staking Deposit Firstrun Vulnerability AnalysisKalos Security's Jade Han delves into a structural problem between the Liquidity Staking Deposit and the outsurced node operator, as well as an issue with the Ethereum 2.0 Beacon client which could have allowed an attacker to deposit ETH on behalf of other users, and withdraw all the ETH using the hacker's withdrawal credentials after the Shanghai upgrade.

1. 🥇SafeMoon — On March 28, 2023, SafeMoon was exploited due to a smart contract vulnerability, resulting in a loss of approximately $8.65 million.

2. 🥈Swerve Finance — Swerve Finance, a defunct Curve Finance clone, is still in the middle of a live governance exploit, viewable on-chain, to steal $1.3 million in stablecoins.

3. 🥉Allbridge — On April 01, 2023, Allbridge was exploited due to price manipulation, resulting in the loss of 282,889 $BUSD and 290,868 $USDT, totaling approximately $570,000.

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.

Thanks,Sebas@0xroot | @secpillsnews