Security Pills - Issue 44
Java Exploitation Restrictions in Modern JDK Times, Meterpreter vs Modern EDRs, How to Bypass Cloudflare in 2023
Release Date: 24th April 2023 | Issue: 44 | Subscribe
The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.
Do all AppSec professionals hate their SAST?
Static Application Security Testing (SAST) tools have been around for a while, but have they lived up to their promise? Here are the top common pitfalls we often talk about:
Limited scope and context
Bad UX & DX
Bearer’s developer-first approach to static code analysis makes it easy for security teams to confidently include scanning in their CI/CD pipelines. At the same time, engineering teams can identify and fix not just security, but also privacy violations in their code at the earliest stages of their build process. This frees up security teams to focus on what matters - architecture and framework level risks.
Can we prevent a security incident like Loom's? | Java Exploitation Restrictions in Modern JDK Times | Hijacking Arch Linux Packages by Repo Jacking GitHub Repositories | How to Bypass Cloudflare in 2023
Beware of WalletConnect Phishing Risks in Web3 Wallets | Security Concerns for Zero-Knowledge Proofs in Blockchain | Threat Actors Rapidly Adopt Web3 IPFS Technology | Precision Loss Errors | Differences between staticcall and call in Solidity | SlotMachine & EVM Storage Management
⚔️ Red Team:
Meterpreter vs Modern EDR(s) | Adversary Emulation Exercises | Direct Syscalls: A journey from high to low
🐛 Vulnerabilities and Bug Bounties
Now I See You: Uncovering Security Vulnerabilities in Camera Sunglasses | Stealing GitHub staff's access token via GitHub Actions | Impersonation Vulnerability in Keycloak | Look Mama, no TemplatesImpl.
$28K Bounty - Admin Brick & Forced Revert | Memory corruption in JCRE: An unpatchable HSM may swallow your private key | Stealing Gas: Bypasing Ethermint Ante Handlers | Browser Extension WASM Vulnerability Postmortem.
How To Level Up As A Web3 Engineer | WhatsABI? with Shazow
debugHunter | puredns | FlareSolverr | bearer | awesome-edr-bypass | indexed.xyz | efcf-framework.
Can we prevent a security incident like Loom’s?Loom recently disclosed a security incident involving a misconfigured cache and a previously undetected problem with the way they were loading Express middleware. This article looks at how the team at Bearer used the incident as an opportunity to build a new detection into their open-source static code analysis product to prevent the problem in the future.
Java Exploitation Restrictions in Modern JDK TimesFlorian Hauser of Code WhiteSec discusses the history of Java deserialisation gadgets in vulnerability research and explores alternative methods of executing Java code in recent JDK versions. The article focuses specifically on OpenJDK and Oracle implementations.
Hijacking Arch Linux Packages by Repo Jacking GitHub RepositoriesJoren Vrancken discusses how many Arch User Repository packages are vulnerable to repo jacking attacks.
How to Bypass Cloudflare in 2023ScrapeOps provide a list of different alternatives to bypass Cloudflare's anti-bot protection system.
Beware of WalletConnect Phishing Risks in Web3 WalletsThe SlowMist team has discovered a vulnerability that could lead to phishing attacks through the inappropriate use of WalletConnect on Web3 wallets. The vulnerability arises when mobile wallet applications integrate the DApp Browser and WalletConnect. This flaw can potentially allow attackers to launch phishing attacks on users.
Security Concerns for Zero-Knowledge Proofs in BlockchainNumen Cyber Labs writes on how to identify potential vulnerabilities that may arise from the combination of ZKP and blockchain while delving into the three pillars of ZKP's security and their specific security concerns.
Threat Actors Rapidly Adopt Web3 IPFS TechnologyPalo Alto Unit42 delves into the increasing adoption of IPFS by threat actors, and how it poses a unique challenge in locating and removing malicious content from the ecosystem, as a decentralized and distributed storage technology.
Precision Loss ErrorsDacian explains how numerical operations in solidity can result in precision loss, an error where the amount that is calculated, saved and returned is incorrect and typically lower than it should be. A vulnerability that sometimes can be used by attackers to drain funds from a finance platform or protocol.
Differences between staticcall and call in SolidityResearch that explore the differences between staticcall and call, while uncovering their unique features, use cases and risks for smart contracts
SlotMachine & EVM Storage Managementzeroknots delves into the issue of storage layout clashes in EVMs. The article explains how such clashes can occur when the storage variables in a called contract do not align with the calling contract's storage layout, which can lead to unintended data overwriting or corruption. The author also has published SlotMachine, a specialised security testing framework designed to detect hazardous storage writes in Solidity contracts.
⚔️ Red Team
Meterpreter vs Modern EDR(s)RedOps' Daniel Feichter writes on how very simple modifications to a Meterpreter shellcode dropper, such as encrypting the Meterpreter shellcode with the XOR algorithm, adding legitimate metadata using a manifest file, and moving the Meterpreter shellcode from the .text section to the .data section can be sufficient to bypass modern EDRs.
Adversary Emulation ExercisesMatt Culbert showcases a practical scenario in which an adversary's attack evolves with custom methods as the emulation progresses. Culbert also provides insights on how companies can improve their understanding of these exercises to bolster their defenses.
Direct Syscalls: A journey from high to lowDaniel Feichter writes on the Direct System Call technique and provides a walkthrough on how to create a shellcode dropper step-by-step using Visual Studio in C++
Now I See You: Uncovering Security Vulnerabilities in Camera SunglassesDaniel Schwender writes on a security vulnerability discovered in Ray-Ban Stories, a pair of sunglasses with a built-in camera. A lack of verification in the SSL certificate could allow attackers to perform a man-in-the-middle attack, intercepting all communication between the glasses and the phone and obtaining access to the recorded media files.
Stealing GitHub staff's access token via GitHub ActionsRyotaK has written about a recently discovered vulnerability in GitHub's actions/runner repository that allowed for the theft of a personal access token tied to a GitHub staff account, enabling actions to be performed on their behalf.
Impersonation Vulnerability in KeycloakMogwai Labs' Timo Müller has written about a vulnerability that affects Keycloak, an open-source identity and access management solution. The vulnerability could allow Keycloak users to impersonate other users.
Look Mama, no TemplatesImplDue to changes in Java 16, exploiting native deserialisation vulnerabilities has become much harder. This post from Hans-Martin provides an overview on what has changed and gives some ideas on how attackers can still gain remote code execution.
$28K Bounty - Admin Brick & Forced RevertA missing access control vulnerability in Alchemist's 'timelockconfig' function which allowed attackers to brick admin configs and force revert the mint recipient, resulting in a $28K bounty.
Memory corruption in JCRE: An unpatchable HSM may swallow your private keyA research that details two different case scenarios where the private keys in a Java card could be lost and irrecoverable.
Stealing Gas: Bypassing Ethermint Ante HandlersFelix Wilhelm from JumpCrypto describes a little-known bug class that affected Cosmos-based blockchains and examines its potential impact on Ethermint, a popular EVM implementation
Browser Extension WASM Vulnerability PostmortemBack in November 2022, a security researcher reported a WebAssembly (WASM) vulnerability in the open-source library Wallet Core. Despite the vulnerability was patched, the wallets generated between November 14 and 23, 2022 by the Trust Wallet Browser Extension were vulnerable. Few days ago, two potential exploits were detected resulting in a total loss of approximately $170,000 USD. This article provides an in-depth account of the vulnerability and the assertive steps that were taken.
🙏 Support us
Enjoy reading the Security Pills newsletter? Consider sponsoring our next edition.You can also share us with your friends and follow us on Twitter.
debugHunter — Chrome extension that scans websites for debugging parameters and notifies you when it finds a URL with modified responses. The extension uses a binary search algorithm to efficiently determine the parameter responsible for the change in the response.
puredns — A fast domain resolver and subdomain brute-forcing tool that can accurately filter out wildcard subdomains and DNS poisoned entries.
FlareSolverr — A proxy server to bypass Cloudflare and DDoS-GUARD protection.
bearer — Code security scanning tool (SAST) that discover, filter and prioritize security risks and vulnerabilities leading to sensitive data exposures (PII, PHI, PD).
awesome-edr-bypass — Awesome EDR Bypass Resources For Ethical Hacking.
indexed.xyz — A public and decoded crypto dataset.
efcf-framework — Extremely Fast smart contract fuzzer.
How To Level Up As A Web3 Engineer — Interview with Alberto Cuesta, co-founder and technical lead at Yield Protocol.
WhatsABI? with Shazow — Dive into the world of EVM bytecode and ABI, as they explore topics like extracting metadata, efficient static analysis, and embracing different source code languages.
📧 Wrapping up
If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.