Security Pills - Issue 9

Release Date: 22 Aug 2022 | Issue: 9 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

Hey there 👋,Hope you had a great weekend. I've been thinking on creating a curated board with some job positions that may be of your interest. Would you be interested on it?

iOS Privacy: Announcing InAppBrowser.com - See what JavaScript commands get injected through an in-app browser #privacyFelix Krause has created InAppBrowser.com, a simple tool to list the JavaScript commands executed by the iOS app rendering a website. The article is an interesting journey on different iOS apps that have their own in-app browser and what actions are executed once a website is loaded through them:

How I Hacked my Car Pt. I | Pt. II #researchInteresting series on how Luigi was able to hack the In-Vehicle Infotainment (IVI) system on his 2021 Hyundai Ioniq SEL and how he later installed a backdoor through a script used to run Guider, a Python-based performance analyzer tool.

Building Your Own Historical DNS Solution with DNSx #researchBen Bidmead (@pry0cc) uses the skeleton of pdiscovery-bot to build a basic historical DNS bot that continuously enumerates newly created domains and alerts the user about them.

GraphQL Security Testing Without a Schema #appsecOne of the major problems when reviewing the security of a GraphQL component is getting good coverage of the exposed functionalities (assuming introspection is disabled). Alex Leahu from Forces Unseen has included an additional functionality to their GraphQuail Burp Suite extension, which aims to solve this problem by observing GraphQL API requests going through Burp and building an internal GraphQL schema with each new query it sees.

Worldwide Cryptocurrency Heists Tracker #smartcontractsOver the years, hackers have exploited vulnerabilities in smart contracts, stealing the equivalent of over $7 billion. This article explores how crypto heists have developed over the years and what have been the biggest crypto heists to date (based on the amount stolen in USD at the time).

Using Mutants to Improve Slither #smartcontractsImproving static analysis tools can be difficult. One approach used to create new rules and improve the engine used by static analyzers is to reuse the deep knowledge gathered from smart contracts and their security vulnerabilities, the experience obtained through security assessment, etc. However, this approach is not always as efficient as you may like. This article details an alternative approach suggested by Alex Groce: using mutants to introduce bugs into a program and observing whether the static analyzer can detect them.

The LDT, a Perfect Home for All Your Kernel Payloads #researchWith the broad adoption of Kernel Address Space Layout Randomization (KASLR) by modern systems, obtaining an information leak is a necessary component of most privilege escalation exploits. This post will cover an implementation detail of XNU (the kernel used by Apple’s macOS) which can eliminate the need for a dedicated information leak vulnerability in many kernel exploits.Using the Pwn2Own 2021 kernel exploit as a real-world example, the author shows how this exploit could be simplified to use the general techniques described in this article removing the need for its previously tedious leak construction.

Wheel of Fortune Outcome Prediction - Taking the Luck out of Gambling #researchThe author explores a particular variant of the casino game Wheel of Fortune, where the wheel is spun manually by a croupier and not by an automated system. Typically, pseudo random number generators (PRNGs) are one of the main targets when it comes to game security assessments. However, there is not a PRNG in this case. Apparently, the randomness relies on the number of times the croupier spins the wheel, which, in turn, depends on their arm strength among other properties. Interesting article that explores how this casino game was predictable enough to make a profit in the long run.

Detecting DNS implants: Old kitten, new tricks - A Saitama Case Study #red-team #incident-responseA recently uncovered malware sample dubbed ‘Saitama’ was uncovered by security firm Malwarebytes in a weaponized document, possibly targeted towards the Jordan government. This Saitama implant uses DNS as its sole Command and Control channel and utilizes long sleep times and (sub)domain randomization to evade detection.This blog documents the development of a Saitama server-side implementation, as well as several approaches to be able to detect DNS-tunneling implants.

IDORs with Unpredictable IDs are Valid Vulnerabilities. #appsecIDORs are a common vulnerability that gets reported quite frequently, however you may have experienced how difficult can be to demonstrate their impact when dealing with unpredictable IDs. This article explores some techniques and services that can be used to demonstrate impact on IDOR vulnerabilities when the IDs are unpredictable.

Death from Above: Lateral Movement from Azure to On-Prem AD #red-teamAndy Robbins has been researching Azure attack primitives to gain a better understanding on how the system works, what privileges and permissions can be abused, and what attack paths present themselves in real environments. This article explains how we could abuse Microsoft Endpoint Manager to move laterally from an Azure tenant to an on-prem AD domain.

Critical Local File Read in Electron Desktop App #appsecRenwa found a Local File Inclusion affecting the Asana Desktop application, which allowed him to read any file the user running the Asana Desktop application had access to if redirected to a malicious URL. Using the asanadesktop:// custom URL scheme, Renwa was able to trick the current webview implementation and force it to load arbitrary sites. From here, Renwa figured out how to extract a user's username to provide a controlled path to any local file in a user's computer and increase the impact of this vulnerability by combining an open redirect with a local file inclusion.

Analysis of a Large-scale Attack on Solana (Part 2) #smartcontractsEarlier on August, an attack on the Solana blockchain caused that many users' SOL and SPL tokens were transferred without their knowledge. This article covers part of the work done by the SlowMist team on deciphering what happened that day.

Report on the Ronin Network Exploit and AML Analysis of Stolen Funds #smartcontracts #incident-responseBack on March 29th a total of $610 millions were stolen from Axie Infinity sidechain, Ronin Network. The attacker used compromised private keys to establish withdrawals and siphon funds from the Ronin Bridge in just two transactions. This article focuses on the exploit used against the Ronin network and the analysis of stolen funds.

Replicant: Reproducing a Fault Injection Attack on the Trezor One #hardware-hackingThere has been a lot of public work in the last years surrounding the security of cryptocurrency wallets. Much of this work has been in the realm of fault injection, to find a fault that allows one to modify the device's behavior to grant an attacker escalated levels of access.This article aims to provide a road map and example of how to replicate a fault injection attack and the hurdles and shortcomings that can occur when attempting to do so.

You Have One New Appwntment: Exploiting iCalendar Properties in Enterprise Applications #appsecEugene 'spaceraccoon' Lim demonstrates how flawed RFC implementations led to new vulnerabilities in popular applications such as Apple Calendar, Google Calendar, Microsoft Outlook, and VMware Boxer. Attackers can trigger exploits remotely with zero user interaction due to automatic parsing of event invitations. Additionally, Eugene explores how iCalendar's integrations with the SMTP and CalDAV protocols enable multi-stage attacks.

Security Implications of URL Parsing Differentials #researchThomas Chauchefoin from Sonar found an issue by how the HTTP server Apache2 and modern web browsers parse URLs differently. This article details how differential URL parsing bugs can occur and what URL parser libraries are affected, using a recent bug discovered in mod_auth_openidc, a popular Apache2 module, to give the readers a real-life example of this pattern and show how to detect similar vulnerabilities in similar applications.

Let's Dance in the Cache - Destabilizing Hash Table on Microsoft IIS #researchDetailed article on the vulnerabilities reported by Orange Tsai affecting Microsoft IIS and the Hash Table implementation and its usage.

But You Told Me You Were Safe: Attacking The Mozilla Firefox Renderer (Part I) #researchAt Pwn2Own Vancouver 2022, Manfred Paul compromised the Mozilla Firefox browser using a full chain exploit that broke the mold. Although his exploit used some memory corruptions, the vulnerable code was written in JavaScript (a memory-safe programming language). In this article, the author looks at CVE-2022-1802, a prototype pollution vulnerability in the await implementation.

🎥 Videos

• Protocol Wars: SOLANA (w/ Halborn) — John Hammond interviews Piotr Cielas (Practice Manager @ Halborn) on what Solana is all about, how it fits into the web3 ecosystem, how its coded, and the security around it.

⌨️ Repositories

• r0075h3ll/Oralyzer — A simple python script that probes for Open Redirection Vulnerabilities in a website.

• zeronetworks/BlueHound — Open-source tool that helps blue teams pinpoint the security issues affecting their internal infrastructure. BlueHound reveals the paths attackers would take if they were inside your network.

• aquasecurity/trivy — Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets.

• ldov31/Sandman — A backdoor meant to work on hardened networks during red team engagements. It works as a stager and leverages NTP (protocol to sync time & date) to download an arbitrary shellcode from a pre-defined server.

• mandiant/STrace — A DTrace on Windows syscall hook reimplementation.

• mainframed/DC30_Workshop — DEFCON 30 Mainframe buffer overflow workshop container.

• pirxthepilot/wtfis — A command line tool that gathers information about a domain or FQDN using various OSINT services.

• forcesunsenn/graphquail — Burp Suite extension that offers a toolkit for testing GraphQL endpoints.

• 0xricksanchez/like-dbg — Fully dockerized Linux kernel debugging environment.

🎙️ Podcasts

1. We-Re In! Ep. 22: Jack Rhysider on podcasting, plot twists and infosec burnout — Four years ago, Jack Rhysider quit his job as a security engineer to move full time into the storytelling business. His podcast, Darknet Diaries, now boasts tens of millions of total downloads and has explored cybersecurity topics from Stuxnet to the collapse of cryptocurrency exchange Mt. Gox.

2. Malicious Life: A CISO's Nightmare - Israel Baron on Railway Security — Railway systems are a mess of old systems built on top of older systems, running ancient operating systems, and exposing their most sensitive inner workings to commuters via WIFI. Why are railway systems so difficult to defend, and what are the most probable attack vectors against them? Nate Nelson, our senior producer, speaks with Israel Baron, Israel Railway's first ever CISO.

💡 Security Tips

• @Serpent on currently active crypto scams running on Twitter.

• @therceman on a list of GitHub Dorks to find sensitive content.

• @PortSwiggerRes on exploiting XSS without HREF or ON

• @sansforensics and their cheat sheet on Digital Forensics and Incident Response

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.

Thanks,Sebas@0xroot | @secpillsnews