recognize both excellence and incompetence in the field of information security
Credit: Pinkie Pie
The Pwnie Award judges were the original bronies. In a blatant attempt at currying their favor, Pinkie Pie chose a handle near and dear to their hearts. How did he know that Pinkie Pie was our favorite? Just slightly less impressive than this feat of clairvoyance was Pinkie Pie’s exploit chain of six bugs that got him full remote code execution in Chrome to win Google’s Pwnium competition at CanSecWest.
Credit: Sergey Glazunov
Not to be outdone by Pinkie Pie, Sergey’s Pwnium exploit took advantage of at least 14 bugs (The Chrome security team apparently lost count after that — numbers are hard). In another show of one-upmanship, he chose a handle of an extremely obscure My Little Pony.
Credit: Duqu Authors
As seen in “Stuxnet 2: Electric Duquloo”, this 100% reliable kernel-mode remote code execution exploit could rootkit any version of Windows ever from a font file embedded in a web page or various other file formats. What else could you possibly want from a client-side vulnerability? A cookie?
Credit: Fermin Serna
Fermin demonstrated and documented in exquisite detail how to turn a lossy out-of-bounds memory read vulnerability into full chosen-address memory disclosure. He showed how proper heap manipulation and creativity can build a limited exploitation primitive into a much more powerful one. Oh right, we are supposed to make jokes about these. Too bad nothing actually runs Flash.
Credit: Charlie Miller
Hackers are always looking for interesting ways around “the system”, whichever one that may be. In this case, Charlie Miller hatched this get-rich-quick idea:
Unfortunately, before Charlie could profit sufficiently from this information, he talked to the press about his ingenius plot. Apple subsequently pulled his app from the AppStore and from his own iPhone hat had installed it (the only user of the app) as well as banned Charlie from the iOS Developer Program for one year. By doing this, Apple kept Charlie safe from himself for the entire next year.
Credit: Joxean Koret
Oracle TNS Listener vulnerabilities bring a tear to our eye. Joxean’s attack is basically the forbidden love child between DNS poisoning and those classic TNS Listener vulnerabilities, allowing you to MITM connections to the database from across the Internet.
Credit: Anonymous
Wait, use-after-free bugs exist outside of web browsers? Shame on them for trying to monopolize that bug class. Anyway, this post-auth use-after-free gets you remote code execution on ProFTPD. And that’s what dreams are made of. Well, that and puppy tears. Ours are, anyway.
Credit: Sergei Golubchik
On vulnerable versions of MySQL simply asking to authenticate repeatedly enough times is enough to bypass authentication: “Can I log in as root now?”
“How about now?”
“Now?”
For actual details, check out Pwnie Judge extraordinaire HD Moore’s blog post.
Credit: Mark Maunder
Here’s a tip from some old hands at this game: if the software is named after the author’s first name, it is likely INSECURE AS ALL HELL. This design error is case and point. Download files from attacker-specified URLs into a cache directory inside the webroot? Sounds like a great idea to me.
Credit: Rafal Wojtczuk
It looks like Intel’s x64 SYSRET instruction operates differently enough from AMD’s x86_64 standard (some people call this “wrong”) that an OS written to the AMD standard running on Intel processors includes a bonus privilege escalation feature. Namely, you can get the kernel (or hypervisor) to handle a SYSRET with a user-specified RSP. What could possibly go wrong?
Wait, everyone else is vulnerable too?. Bonus in your attackers’ favor.