bookmark_borderCC7F Round 1., during Hacktivity 2021

In a joint project we step to the next level with two rounds of CCTF. Harder challenges and highers prices wait for the players.

You can read more about us in the media:

https://finance.yahoo.com/news/cctf-organizers-awalcon-cryptall-partner-131600682.html

https://markets.businessinsider.com/news/stocks/cctf-organizers-awalcon-and-cryptall-partner-with-ecox-to-host-the-largest-blockchain-hacking-event-so-far-1030838702

bookmark_borderPublic Smart Contract Audit: Next Earth, part 1.

Overview

The Next Earth project requested a smart contract code security audit.

Start date of the audit: 2021.07.06.

Report date: 2021.07.07.

Project website: https://nextearth.io/

Platform: Solidity / Ethereum

Audited commit: 4bac0998cac7e19a3a5370c997551ba71bb82d57

Smart contracts in scope:

  • NFT.sol
  • Payment.sol
  • Presalse.sol
  • PriceFeed.sol

Imported smart contracts:

  • @chainlink/contracts/src/v0.6/interfaces/AggregatorV3Interface.sol
  • @openzeppelin/contracts/access/AccessControl.sol
  • @openzeppelin/contracts/access/Ownable.sol
  • @openzeppelin/contracts/security/Pausable.sol
  • @openzeppelin/contracts/token/ERC721/ERC721.sol
  • @openzeppelin/contracts/token/ERC721/extensions/ERC721Burnable.sol
  • @openzeppelin/contracts/token/ERC721/extensions/ERC721Enumerable.sol
  • @openzeppelin/contracts/utils/cryptography/ECDSA.sol

Overall result: pass

Auditor: six ~ PGP 450F 4AC8 0BD8

Objective and methodology

The objective of the security assessment is to gain insight into the security of the smart contracts listed in the scope.

Code review main check items:

  • Line-by-line audit
  • Business logic
  • Data consistency
  • Coding style violations
  • Gas usage
  • Reentrancy

Automated tools:

Further documents incorporated in the methodology:

Audit results

Critical severity

No cricitcal severity issue have been found during the manual code review or by using automated tools.

High severity

No high severity issue have been found during the manual code review or by using automated tools.

Medium severity

No medium severity issue have been found during the manual code review or by using automated tools.

Low severity

Presale.sol | Creation of unintended packs in setPackPrice()

Description and impact

At line61 it is specified that we have packages from 1 to 5, but in the setPackPrice function at line120, it allows to pass zero or any positive number up to 2**32-1 for _type and 2**256-1 for price.

Logic says, that would be also an integer overflow, but from Solidity compiler version 0.8.0, overflowing transactions get reverted automatically.

This vulnerability allows the creation of packages against the intentional logic of the project.

This is only a low level vulnerability as onlyOwner is used and it can’t be exploited by others.

Line 61.:

require(packType >= 1 && packType <= 5, “invalid pack type”); // we have 5 pack types from 1 to 5

Line 120.:

function setPackPrice(uint32 _type, uint256 price) external onlyOwner {

packPrices[_type] = price;

}

Proposed solution

You could use a require statement checking the type (and preferably the price too) before setting the price for a pack.

Presale.sol | Unused code, todo, typo

Description

Payment.sol, line36.

// TODO can we do this pull over push?

Presale.sol, line 88.

// uint256 contractShare = msg.value – charityShare – comissionShare; // not used, need to remove it

NFT.sol, line 42.

// happens against a signle single user…

Presale.sol, multiple lines:

comissionCode” → “commissionCode”

Proposed solution

Update the mentioned points.

NFT.sol | Minting functions can go above gas limit

Description

The issue was acknowledged by the project before the audit.

Function safeMint from line 35. and function safeMintTo() from line 49. can go above the gas limit if tokenIds.length becomes too big.

Proposed solution

Implement limits, don’t let users break themselves.

Lack of README file

Description

The project does not have a README file or documentation.

Proposed solution

Provide a clear documentation and use more comments.

Lack of comments regarding functionality

Description

The smart contracts have comments at some critical points, but not about the functions or general code logic.

It is also recommended to add NatSpec to the code.

Proposed solution

Follow the Solidity Coding style guide.

https://docs.soliditylang.org/en/latest/style-guide.html

Contact

Awalcon – six

Website: https://awalcon.org/

E-mail:six@awalcon.org

Telegram/Signal: +36 20 256 4090

Git: https://git.hsbp.org/six

PGP: B1F7 B1D6 8838 98B4 2212 1D90 CA71 D1E4 078E 99C5

bookmark_borderCCTF 5 Writeups – Part 1.

RTFM (50 points)

As is the case with all CCTF editions, there’s a quasi-challenge that points people in the direction of the manual, and which is supposed to give an initial feel for how the search for a so-called flag goes. The accepted solution was one of the example flags shown in the manual.

Author: SI

unk (80 points)

A real, entry-level challenge. A file (named “unk”) was presented. It appears to be a damaged Microsoft Word document. A Word document is actually a Zip archive containing things like XML and thumbnail image files. Different Zip implementations work differently on damaged archives; e.g. GNU Zip was able extract the damaged Zip archive to a sufficient extent. The flag was in the thumbnail image. — Sometimes thumbnails are not in sync with the working text of the document, and may contain sensitive data: snapshots of rendered text that was deleted.

Author: SI

CryptoFriend (80 points)

Another entry-level challenge. A file was presented under the name “a_friend.zip”. This was also an invalid Zip archive.

tl;dr: the file turned out to be a concatenation of a Zip archive and a PNG image, where the latter contained the flag. But on to the goose chase leading to this discovery:

E.g. FreeBSD’s Zip implementation extracted a single “a friend.docx” file. This file was a valid Word document which read “i hid my location, come help me”. OK, let’s do this.

No, the thumbnail didn’t contain a flag. According to metadata in the document, the document was prepared by Kevin Chung on 2017-09-11. Let’s find this guy. Searching the internet for his contact information, cryptocurrency addresses, etc, but most importantly, flags, it came to light that he’s behind CTFd, the web application powering the CCTF contest’s portal — the plot thickened. He also runs a blog. One of his blog posts, dated closest to 2017-09-11, really contains a string of the form “FLAG{…}”. Tough luck: wrong answer. In fact, Kevin Chung appeared the same way in the “unk” challenge. So this was a witch hunt.

One other thing was eye-poking: potentially subliminal data in the Word document’s XML attributes, e.g. “paraId="3B2827CE"” — is there real content embedded in these IDs, or is this totally random crap?

The “a_friend.zip” file was actually ~19MiB in size, while the extracted “a friend.docx” was only ~24KiB, so it makes more sense that the flag was to be hidden outside the latter. Inspecting the file (using tools like: strings, hd, etc), one could stumble upon the following:
• There was EXIF data containing latitude–longitude coordinates. However, those pointed to Andromeda, so this lead had to be scrapped as well.
• There was an EXIF user comment with a code of some sort: “FM0 FC000000000:zzzzzz1 f144 078043881a29e1e816c14c0 bac 87152…”. Well, whatever.

Upon further inspection, it was then apparent that the EXIF structure was actually part of a PNG image that appeared without compression in the “a_friend.zip” file.

Author: SI

Vault (100 points)

Given some smart contract — the source code and a deployed instance, displayed by the etherscan.io service —, the task was to determine the correct call to the contract that would exfiltrate the 0.1337 ETH (of the Ropsten test network kind) from the contract.

In the constructor, the `pin` variable was initialized with the value of `block.timestamp % 10000`, and then never changed. And there was the fund retrieval function taking a single number argument, which would compare the number against the `pin` variable. The latter just signifies that we were looking for the value of `block.timestamp` at the time of construction.

There were multiple techniques to tackle this problem:

• A hacky approach was to try to call the contract with every possible value from 0 to 9999, and see which worked — after all, this was on Ropsten, a gas giant.
• There are many tools to interact with deployed contracts, including to read values of global variables. The `pin` variable was private, so if a particular tool didn’t permit reading the value directly, it was conceivable to trick the tool into thinking that the contract’s source code / ABI was slightly different: where the `pin` variable wasn’t private.
• The smart solution was to note the date and time when the contract was created (corresponding to when the block, that included the creating transaction, was mined), and convert it to seconds-since-the-Epoch.

Author: SI

bookmark_borderGoogle Chrome zero-day vulnerability

Google has introduced an update to the Chrome browser and released a second patch within a month that fixes five vulnerabilities, including a zero-day vulnerability. One of the most important bugs can be traced as CVE-2021-21193 and affects the Windows, Linux, OS X versions of the browser.

This vulnerability was detected by an anonymous user, and through this bug an attacker can execute arbitrary code on the target system. The measuring of this error is  8.8 out of 10 on the CVSS scale. To avoid this security issue, update your Google Chrome browser at Settings -> Help -> About.

Why the browsers?
Browsers tend to evolve faster in many organizations than other applications, and browsers are a great way to reap the benefits, and attackers continue to target them because they continue to be excellent entry points for endpoint threats within the organization. In addition, the extensions are usually updated less frequently and require hardening to prevent further attacks.

What is a zero-day vulnerability?
Timing is most important here. The moment the flaw becomes known, hackers around the world can try to exploit it. Overall, programmers have zero days to find a solution to the issue, henceforth the term “zero-day vulnerability”.

This can take almost any form, such as missing data encryption, buffer overflows, missing permissions, SQL injection, broken algorithms, URL redirects, errors, or password security issues.

How protect yourself?
Here are some tips to help protect your business from these types of attacks:

Be informed: pay attention to software vendor spending, it may be time to take advantage of security measures or respond to threats before taking advantage of them

Take additional security measures: consider seeking the assistance of an experienced professional, as the safety measures mentioned above are not sufficient to fully protect you.

Keep your system up to date: make sure your software platforms are up to date. The best solution is to allow automatic updates so that the software is updated regularly without any manual intervention.

bookmark_borderA global start from Estonia

Awalcon becomes global in 2021. If you haven’t followed us during the first year, here are some active projects we are working on:

Awalcon Information Security and Blockchain Services

HODLBag DAO (will be presented first around mid-January)

CryptoCurrency (is) The Flag – CTF game, in a collaboration with our partners

CryptoZSH – Tools and configuration for ZSH users

2020 was not an easy year, but with clear goals and enthusiast people around, growth occurs even in the hardest times.

We are looking forward to go global in 2021!

bookmark_borderMVP presentation: Information security for Bács-Kiskun region

The recording is available in Hungarian language. The Awalcon presentation by six starts at 35 minutes:

https://mkik.videosquare.eu/hu/recordings/details/7358,Modern_Vallalkozasok_Programja_-Munkaszervezes_2.0-Tav-_es_csoportmunkat_tamogato_eszkozok_IT_biztonsagi_kockazatok-_Bacs-Kiskun_megye

In Hungary, most of the companies are just getting started with information security. Our goal is to support them to implement more secure systems, both from human and technical point of views: IT security awareness, policies, audits, penetration testing, cryptography and the Awalcon Certification system.

The presentation covers an introduction to IT and Information Security. We start from the topic of homeoffice and arrive to enterprise networks.

bookmark_borderCCTF3 – The official CTF game of Bday 3.0

CCTF is organized the third time, now for Bday 3.0 (Blockchain Day) which is one of the largest cryptocurrency related event in Central-Europe.

CCTF is a “Capture The Flag” game where the participants need to hack realistic challenges related to cryptography and cryptocurrencies. The best ones will get rewarded by some presents and QARK tokens, offered by QAN.

If you would like to participate, you can do so by registering here: https://cryptoctf.org/

What about the previous CCTF events? An archive will be created including all the three of them after the last finishes. It will be available on the CCTF’s website.

Who creates these events? The founder of the CCTF project is six from Awalcon who initiated it in 2019 by calling fellow hackers into the project. It is a joint project where the creators include not just Awalcon, but also members from H.A.C.K. and this year Silur from QAN.

six speaking at BDAY3.0 conference

bookmark_borderData at risk (in Hungarian) – IT security for companies at times of home office

The “Modern Vállalkozások Programja” project invited six for conducting a professional workshop about IT security with the focus on home office.

You can find the video at the following link: MVP presentation

For Awalcon services listed in the MVP project, please follow this link.

bookmark_borderState of the Art Phishing @Hacktivity

October is the month for IT security conferences and we are participating on them, as always. The presentation “State of the Art Phishing” has been accepted and will be presented online between October 8-10. More information will be shared on Hacktivity’s website: https://hacktivity.com/

Mostly a technical talk, but there will be many attacks discussed which can give good examples on what to defend against for non-techies too.

If you would like to keep up with the infosec news, six is posting regularly on his Mastodon and Twitter accounts:

https://noc.social/web/accounts/15777

six’s twitter for #infosec news