Security Pills - Issue 44

Release Date: 24th April 2023 | Issue: 44 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

🛠 Appsec

Can we prevent a security incident like Loom’s?Loom recently disclosed a security incident involving a misconfigured cache and a previously undetected problem with the way they were loading Express middleware. This article looks at how the team at Bearer used the incident as an opportunity to build a new detection into their open-source static code analysis product to prevent the problem in the future.

Java Exploitation Restrictions in Modern JDK TimesFlorian Hauser of Code WhiteSec discusses the history of Java deserialisation gadgets in vulnerability research and explores alternative methods of executing Java code in recent JDK versions. The article focuses specifically on OpenJDK and Oracle implementations.

Hijacking Arch Linux Packages by Repo Jacking GitHub RepositoriesJoren Vrancken discusses how many Arch User Repository packages are vulnerable to repo jacking attacks.

How to Bypass Cloudflare in 2023ScrapeOps provide a list of different alternatives to bypass Cloudflare's anti-bot protection system.

⛓ Blockchain

Beware of WalletConnect Phishing Risks in Web3 WalletsThe SlowMist team has discovered a vulnerability that could lead to phishing attacks through the inappropriate use of WalletConnect on Web3 wallets. The vulnerability arises when mobile wallet applications integrate the DApp Browser and WalletConnect. This flaw can potentially allow attackers to launch phishing attacks on users.

Security Concerns for Zero-Knowledge Proofs in BlockchainNumen Cyber Labs writes on how to identify potential vulnerabilities that may arise from the combination of ZKP and blockchain while delving into the three pillars of ZKP's security and their specific security concerns.

Threat Actors Rapidly Adopt Web3 IPFS TechnologyPalo Alto Unit42 delves into the increasing adoption of IPFS by threat actors, and how it poses a unique challenge in locating and removing malicious content from the ecosystem, as a decentralized and distributed storage technology.

Precision Loss ErrorsDacian explains how numerical operations in solidity can result in precision loss, an error where the amount that is calculated, saved and returned is incorrect and typically lower than it should be. A vulnerability that sometimes can be used by attackers to drain funds from a finance platform or protocol.

Differences between staticcall and call in SolidityResearch that explore the differences between staticcall and call, while uncovering their unique features, use cases and risks for smart contracts

SlotMachine & EVM Storage Managementzeroknots delves into the issue of storage layout clashes in EVMs. The article explains how such clashes can occur when the storage variables in a called contract do not align with the calling contract's storage layout, which can lead to unintended data overwriting or corruption. The author also has published SlotMachine, a specialised security testing framework designed to detect hazardous storage writes in Solidity contracts.

⚔️ Red Team

Meterpreter vs Modern EDR(s)RedOps' Daniel Feichter writes on how very simple modifications to a Meterpreter shellcode dropper, such as encrypting the Meterpreter shellcode with the XOR algorithm, adding legitimate metadata using a manifest file, and moving the Meterpreter shellcode from the .text section to the .data section can be sufficient to bypass modern EDRs.

Adversary Emulation ExercisesMatt Culbert showcases a practical scenario in which an adversary's attack evolves with custom methods as the emulation progresses. Culbert also provides insights on how companies can improve their understanding of these exercises to bolster their defenses.

Direct Syscalls: A journey from high to lowDaniel Feichter writes on the Direct System Call technique and provides a walkthrough on how to create a shellcode dropper step-by-step using Visual Studio in C++

🛠 Appsec

Now I See You: Uncovering Security Vulnerabilities in Camera SunglassesDaniel Schwender writes on a security vulnerability discovered in Ray-Ban Stories, a pair of sunglasses with a built-in camera. A lack of verification in the SSL certificate could allow attackers to perform a man-in-the-middle attack, intercepting all communication between the glasses and the phone and obtaining access to the recorded media files.

Stealing GitHub staff's access token via GitHub ActionsRyotaK has written about a recently discovered vulnerability in GitHub's actions/runner repository that allowed for the theft of a personal access token tied to a GitHub staff account, enabling actions to be performed on their behalf.

Impersonation Vulnerability in KeycloakMogwai Labs' Timo Müller has written about a vulnerability that affects Keycloak, an open-source identity and access management solution. The vulnerability could allow Keycloak users to impersonate other users.

Look Mama, no TemplatesImplDue to changes in Java 16, exploiting native deserialisation vulnerabilities has become much harder. This post from Hans-Martin provides an overview on what has changed and gives some ideas on how attackers can still gain remote code execution.

⛓Blockchain

$28K Bounty - Admin Brick & Forced RevertA missing access control vulnerability in Alchemist's 'timelockconfig' function which allowed attackers to brick admin configs and force revert the mint recipient, resulting in a $28K bounty.

Memory corruption in JCRE: An unpatchable HSM may swallow your private keyA research that details two different case scenarios where the private keys in a Java card could be lost and irrecoverable.

Stealing Gas: Bypassing Ethermint Ante HandlersFelix Wilhelm from JumpCrypto describes a little-known bug class that affected Cosmos-based blockchains and examines its potential impact on Ethermint, a popular EVM implementation

Browser Extension WASM Vulnerability PostmortemBack in November 2022, a security researcher reported a WebAssembly (WASM) vulnerability in the open-source library Wallet Core. Despite the vulnerability was patched, the wallets generated between November 14 and 23, 2022 by the Trust Wallet Browser Extension were vulnerable. Few days ago, two potential exploits were detected resulting in a total loss of approximately $170,000 USD. This article provides an in-depth account of the vulnerability and the assertive steps that were taken.

⌨️ Repositories/Tools

• debugHunter — Chrome extension that scans websites for debugging parameters and notifies you when it finds a URL with modified responses. The extension uses a binary search algorithm to efficiently determine the parameter responsible for the change in the response.

• puredns — A fast domain resolver and subdomain brute-forcing tool that can accurately filter out wildcard subdomains and DNS poisoned entries.

• FlareSolverr — A proxy server to bypass Cloudflare and DDoS-GUARD protection.

• bearer — Code security scanning tool (SAST) that discover, filter and prioritize security risks and vulnerabilities leading to sensitive data exposures (PII, PHI, PD).

• awesome-edr-bypass — Awesome EDR Bypass Resources For Ethical Hacking.

• indexed.xyz — A public and decoded crypto dataset.

• efcf-framework — Extremely Fast smart contract fuzzer.

🎥 Videos

• How To Level Up As A Web3 Engineer — Interview with Alberto Cuesta, co-founder and technical lead at Yield Protocol.

• WhatsABI? with Shazow — Dive into the world of EVM bytecode and ABI, as they explore topics like extracting metadata, efficient static analysis, and embracing different source code languages.

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.

Thanks,Sebas@0xroot | @secpillsnews