Security Pills - Issue 43

Release Date: 17th April 2023 | Issue: 43 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

Hey there 👋,Hope you are doing great!It looks like it has been another tense week in the blockchain space, SushiSwap was hacked again while a whitehack researcher attempted to save some funds. It looks like the exploit used by the researcher was quickly copied by some bots who did all the "rescuing". Fortunately, part of the drained funds have been recovered and returned to the protocol. But, yet again, it is one of those scenarios that you don't typically see every day. You can find more information about this hack and others in the section below.As always, if you haven't already, make yourself a cup of coffee ☕️, find a cozy spot, and let's get into this week's newsletter! 🚀

🛠 Appsec

Deploying key transparency at WhatsAppSean Lawlor and Kevin Lewi from Meta write about a new cryptographic security feature deployed in Whatsapp, which automatically verifies a secure connection based on key transparency. Meta has also published an open-source library called Auditable Key Directory (AKD), that enables anyone to verify audit proofs of the directory's correctness

Proxyjacking has Entered the ChatSysdig's Crystal Morin talks about a new attack method, dubbed proxyjacking, which leverages the Log4j vulnerability for initial access. The attacker then sells the victim's IP address to proxyware services for profit. The interesting part of this attack is the payload used, which installs an agent that turns the compromised account into a proxy server, allowing the attacker to sell the IP address to a proxyware service and collect the profic. Crystal provides a thorough analysis on how this attack works and what are its known attack vectors.

Introducing Alterx: Efficient Active Subdomain Enumeration with PatternsTarun Koyalwar from Project Discovery writes about Alterx, a powerful tool for active subdomain enumeration that offers significant benefits over traditional brute-force methods due to customizable patterns

Advanced Maskcat Cracking GuideJake Wnuk provides an advanced guide to using Maskcat, a tool for making transformations and modifications to wordlists and rules when cracking hashes. One of the topics covered by Jake is how new candidates are generated and applied to hash cracking, explaining how to use candidates to find and enumerate patterns, expand existing wordlists or use them to create multi-byte character wordlists with multi-byte rules.

Smashing Hashes with Token Swapping AttacksJake Wnuk writes on token swapping attacks, a technique built around two principles that password crackers can abuse to recover plaintext; human passwords often share patterns and secret material is often shared or used, especially among a shared user pool.

A Pentester's Guide to NoSQL InjectionAditya from The SecOps Group delves into the infamous NoSQL Injection attack vector and how it does affect popular databases like MongoDB, ElasticSearch, or CouchDB. The article covers tools and techniques to identify this type of vulnerabilities during a pentest and provides a hands-on practice lab to further develop your NoSQL injection skills.

⛓ Blockchain

Seeing like a protocolBarnabé Monnot writes on protocol credibility, and how this credibility is strengthened or eroded by other mechanisms in the protocol's environment, beyond its boundaries.

Rilide: A New Malicious Browser Extension for Stealing CryptocurrenciesTrustWave's Pawel Knapczyk and Wojciech Cieslak write about Rilide, a malware disguised as a legitimate Google Drive extension that has the effective and rarely used ability to utilize forged dialogs to deceive users into revealing their two-factor authentication (2FA) and then withdraw cryptocurrencies in the background. The authors explore two campaigns that were used to distribute this piece of malware and how the extension works to steal a user's currencies.

Bitcoin Deep DiveA deeply technical analysis of the most prominent cryptocurrency and its flaws. The author goes over Bitcoin's purpose and history, as well as some of its most known weaknesses, such as susceptibility to 51% attacks or lack of sustainability.

New Tactics and Trends about Transfer Phishing AttacksA new variation of the zero-value transfer phishing attack has been spotted in the wild, evolving into a small-value transfer phishing and a fake token transfer phishing. These new methods have already generated profits of up to $8 million (reaching a total of ~$32 million). This article from X-explore and WuBlockchain explores these new variants and shares a deep dive on how the funds have been stolen and laundered through Tornado.cash

Reentrancy Vulnerability Scope ExpandedA practical analysis on the read-only reentrancy vulnerability spotted on Balancer, which could be used to manipulate prices in some specific nested pools by using stale data

Review of Blockchain Security in Q1 2023Fairyproof studied 113 publicly reported security incidents that occurred from January to March. This report contains a list of the findings, analysis and best practices from these incidents.

Building a smart contracts fuzzer for fun and profitJat writes in this article the reasons that brought him into coding a property-based testing software for detecting vulnerabilities in smart contracts, using the Hypothesis Python library, while covering some topics such as stateful testing, shrinking, coverage guidance, and swarm testing, among others.

🧰 SAST

CodeQL Zero to Hero Pt. 1: The fundamentals of static analysis for vulnerability researchGitHub's Sylwia Budzynska writes this blog series that serves as an introduction to static analysis concepts, an overview of CodeQL, and how static analysis can leverage for security research while learning how to write custom CodeQL queries.

Rule Writing for CodeQL and SemgrepEugene Lim shares his perspective on using Semgrep and CodeQL to develop rules for detecting potential vulnerabilities. As Eugene explores in this article, you might prefer to focus on scan speed and compatibility with a wide range of codebases, or prioritize reducing false negatives and delving into the intricacies of complex rule syntax, for instance.

The birth of Semgrep Pro EngineR2C's Emma Jin and Colleen Dai write on adding interfile analysis as part of their recently launched Semgrep Pro Engine, while providing technical details on how it was implemented and what challenges were faced throughout the process.

🛠 Appsec

Pretalx Vulnerabilities: How to get accepted at every conferenceSonar's Stefan Schiller delves into the technical details of the vulnerabilities found in Pretalx, a web-based conference planning tool used to manage call for papers submissions, communicate with speakers, and used by all major IT security conferences. Stefan explains how it was possible to achieve code execution via a file write vulnerability, and provides some tips to mitigate the issue by having a look at the applied patches.

It's a (SNMP) Trap: Gaining Code Execution on LibreNMSStefan Schiller from Sonar outlines in this article a XSS vulnerability found in LibreNMS, which could be exploited by an unauthenticated attacker to gain remote code execution after sensing a single SNMP trap. The author determines how this vulnerability can be prevented and derives the essential key learnings.

Shell in the Ghost: Ghostscript CVE-2023-28879 writeupTechnical write-up that details how CVE-2023-28879 - an RCE in Ghostscript - was found and exploited. It is important to bear in mind that Ghostscript is still widely utilized in many applications and libraries, such as ImageMagick and various web applications that directly manipulate PDF files.

⛓Blockchain

Software Wallets Research Series: EIP-712 Implementation Issue Impacting 40+ vendorsThis research conducted by Coinspect aimed to identify prevalent architectural patterns across software wallets, discover potential security vulnerabilities that could affect them and create a threat model.

Hacking Play-to-Earn Blockchain Games: The Case of ManariumBlaze's Eduardo Alves and Vitor Fernandes provide an overview of hacking play-to-earn blockchain games and common security pitfalls affecting P2E. The authors explain how several vulnerabilities were discovered in a P2E game named Manarium.

1. 🥇Yearn.finance — On April 13th, 2023, Yearn.finance was attacked, resulting in the theft of over $10 million for the project. The attackers exploited an incorrect setting of the fulcrum address in the yUSDT contract, manipulating the stablecoin reserve balance within the yUSDT contract, allowing the attacker to profit by depositing USDT into yUSDT and receiving an unexpectedly large number of yUSDT tokens.

2. 🥈SushiSwap — On April 9th, 2023, SushiSwap was the target of an attack where $3.3 million were stolen as a result of a function parameter injection vulnerability. What started as an attempt to save the affected funds ended up becoming a true madness, where MEV bots began to drain the protocol.

3. 🥉MetaPoint — On April 12, 2023, MetaPoint was exploited due to a smart contract vulnerability, resulting in the loss of funds worth approximately $920,000.

⌨️ Repositories/Tools

• NightmareLab/SourceGPT — A source code analyzer and prompt manager built on top of ChatGPT as the oracle.

• aress31/burpgpt — A Burp Suite extension that integrates OpenAI's GPT to perform an additional passive scan for discovering highly bespoke vulnerabilities, and enables running traffic-based analysis of any type.

• jat9292/fuzzing-like-a-smarter-degen — Improved Barebones Solidity smart contract fuzzer

• emilianobonassi/revoke-safe-module — A Gnosis Safe Module to delegate to an another account to revoke on your behalf token allowances for an exploited address.

🎥 Videos

• Writing your First Nuclei Template — Everything you need to know about writing nuclei templates.

• How to hack North Korea, the Darkest Network on Earth — How do you safely get information about the outside world into a totalitarian regime like North Korea, where the penalty for watching a Western movie or reading a newspaper is death?

• 64 ways to steal a password — The many possible ways a criminal may be able to get your password

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.

Thanks,Sebas@0xroot | @secpillsnews