Pwnie Awards 2014

Nominations for Pwnie Awards 2007

Pwnie for Best Server-Side Bug

Awarded to the person who discovered the most technically sophisticated or interesting server side bug. This includes any software that is accessible remotely.

Nominees

  • Sendmail signal handler race condition (CVE-2006-0058)

    Discovered by: Mark Dowd

    The best bugs are the ones vendors call impossible to exploit until a researcher proves them wrong. The exploitation of the Sendmail signal handler race condition is complicated, but very interesting. Great quote from Eric Allman:

    ISS explained it to us and told us that they had managed to craft an exploit in their lab, but frankly we don't see how it can be practical. This literally requires nanosecond precision in the millisecond world of networking.

    For more exploitation details see the Matasano and Daily-Dave posts.

  • Solaris in.telnetd remote root exploit (CVE-2007-0882)

    Discovered by: Kingcope

    This mindblowingly simple vulnerability does not require any special hacking tools or shellcode. It can be exploited with nothing more than a standard telnet client and leads to instant root on Solaris 10 and 11. The best part is that the exact same vulnerability was reported to Bugtraq back in 1994. For more details see the original advisory and detailed analysis of the bug.

  • Microsoft DNS Server RPC interface buffer overflow (CVE-2007-1748)

    Discovered by: anonymous

    The stack overflow in the RPC interface of the Microsoft DNS Server was discovered by an anonymous researcher and was found in the wild in April 2007. It was the first vulnerability on Windows 2003 SP1 that was remotely exploitable by an unauthenticated user. Exploiting the bug is interesting because you have to bypassing SafeSEH.

Pwnie for Best Client-Side Bug

Awarded to the person who discovered the most technically sophisticated and interesting client bug. In 2007 the term ‘client’ is pretty much synonymous with ‘web browser’, but don't forget about all those QuickTime bugs!

Nominees

  • Unhandled exception filter chaining vulnerability (CVE-2006-3648)

    skape & skywing

    This vulnerability allows the exploitation of any unhandled exception in Internet Explorer, including NULL-pointer dereferences. It was described in Exploiting the Otherwise Non-exploitable on Windows, published in Uninformed Vol. 4. Bugs like this happen once in a decade.

  • ANI buffer overflow (CVE-2007-0038)

    Discovered by: Alexander Sotirov, anonymous rediscovery

    The buffer overflow in the Windows ANI parser was discovered and reported to Microsoft in December of 2006. It was rediscovered in the wild three months later. This was one of the first remote code execution vulnerabilities in Windows Vista and had unique features that allowed for the bypass of all exploitation mitigations in Windows XP SP2 and Vista.

  • QuickTime Java extensions vulnerability (CVE-2007-2175)

    Discovered by: Dino Dai Zovi

    Dino Dai Zovi set a new land speed record by discovering and exploiting this vulnerability in less than 9 hours for CanSecWest's PWN2OWN challenge. The bug was exploitable on Windows and OS X via Internet Explorer, Firefox and Safari. For more details check out the following interview.

  • RSA signature forgery for a public exponent of 3 (CVE-2006-4339)

    Discovered by: Daniel Bleichenbacher

    When the RSA keypair had a public exponent of 3, a common implementation error in the PCKS1.5 encoding of X.509 Certificates could be abused to forge signatures from that key. A number of trusted root certificate authorities used 3 for a public exponent and several common SSL implementations including OpenSSL and Firefox were vulnerable to this attack opening up users to SSL interception, phishing, and forged client sertificate authentication.

Pwnie for Mass 0wnage

Awarded to the person who discovered the bug that resulted in the most widespread exploitation. Also known as the ‘Pwnie for Breaking the Internet.’

Nominees

  • QuickTime scripting bug used in a MySpace worm (CVE-2007-0059)

    Discovered by: pdp, int3l, |)ruid

    The MySpace worm used a combination of a QuickTime cross-domain scripting vulnerability discovered in September 2006 by pdp and a MySpace CSS navigation replacement bug found by int3l and |)ruid. The worm was simple, but the number of affected users was very high.

  • ANI buffer overflow exploitable through IE and Firefox (CVE-2007-0038)

    Discovered by: Alexander Sotirov, anonymous rediscovery

    The buffer overflow in the Windows ANI parser was discovered and reported to Microsoft in December of 2006. It was rediscovered in the wild three months later and led to massive exploitation due to the availability of highly reliable and completely silent exploits. Both Internet Explorer and Firefox were affected, although the public exploits targeted only IE.

Pwnie for Most Innovative Research

Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.

Nominees

  • Temporal Return Addresses

    skape

    Using timers and tick counters as shellcode opcodes? We'll just have to wait until 2010 to see some awesome exploits. Published in Uninformed Vol. 2.

  • Attacks on Uninitialized Local Variables

    Halvar Flake

    Halvar's seminal work on exploiting uninitialized variables raised awareness of this class of bugs and inspired many other researchers. Presented at BlackHat Federal 2006.

  • Heap Feng Shui in JavaScript

    Author: Alexander Sotirov

    Taking heap exploitation one step further through JavaScript heap manipulation. Presented at BlackHat EU 2007.

  • Exploiting Embedded Systems at CanSecWest 2007

    Author: Barnaby Jack

    Great work on attacking embedded devices, including a new exploitation technique specific to ARM devices. Presented at CanSecWest 2007.

  • Automated vulnerability auditing in machine code

    Author: Tyler Durden

    The academic community might be familiar with the concepts described in this article, but its thoroughness and readability are unique in the field. This paper is an awesome mix of intermediate language translation, dataflow analysis, control flow analysis, and especially abstract interpretation. Published in Phrack 64.

Pwnie for Lamest Vendor Response

Awarded to the vendor who mishandled a security vulnerability most spectacularly.

Nominees

  • BMC Performance Manager SNMP Command Execution (CVE-2007-1972)

    BMC

    The vulnerability was discovered by an anonymous researcher and reported to BMC by TippingPoint. The response was priceless:

    BMC has a formal customer support mechanism in place to provide solutions to security issues brought to us by those who have legally licensed our software. In cases where security issues are brought to my attention by individuals/vendors who do not have legal access to our products, we will investigate their merit; however the issues will be addressed at our own discretion and according to our understanding of their severity.

    Finally, please note that in the future, I will only communicate resolutions and workarounds to licensed customers who are using our software legally. For a more meaningful dialogue around these issues and to be notified of any available patches, I urge all licensed customers to use BMC's support mechanism.

  • OpenBSD IPv6 mbuf kernel buffer overflow (CVE-2007-1365)

    OpenBSD team

    The OpenBSD team refused to acknowledge the bug as a security vulnerability and issued a "reliability fix" for it. A week later Core Security had developed proof of concept code that demonstrated remote code execution. Read the full timeline and quotes in the Core advisory.

  • Detection bypass in Norman Antivirus (CVE-2007-3952)

    Norman

    The detection bypass vulnerability in all Norman Antivirus products was discovered and reported by Sergio Alvarez. Here's the vendor response:

    We have discussed your mail. It is not our company's policy to publish information about vulnerabilities or bugs in our software, unless they are extremely critical and/or can be worked around by the end-user. There are usually a large number of vulnerabilities/bugs in any software, and in our opinion it would only serve to unsettle user confidence in the products if the industry continually feeds information about such weaknesses, and we don't see that it would give the user any benefit in return.

    Instead we feel that it should be the supplier's responsibility to correct any errors and weaknesses and have them released to the user fast and silently, without alerting also the malware industry.

    Hence, there is no forum where we can credit you for your findings.

  • EnCase vulnerabilities reported by iSEC

    Guidance Software

    The full details of the vulnerabilities will be presented at BlackHat USA. The response from Guidance Software is great:

    Moreover, the issues raised have nothing to do with the security of the product. Therefore, we strongly dispute any media reports or commentary that imply that there are any "vulnerabilities" or "denials of service" exposed by this report.

Pwnie for Most Overhyped Bug

Awarded to the person who discovered a bug resulting in the most hype on the Internets and in the traditional media. Extra points for bugs that turn out to be impossible to exploit in practice.

Nominees

  • BluePill

    Joana Rutkowska

    Joanna Rutkowska presented the virtualization based rootkit called BluePill at SyScan and BlackHat USA 2007. It was quickly labeled "100% Undetectable Malware" in the press, but the sky failed to fall. BluePill detection techniques are being presented this year at both SyScan and BlackHat USA.

  • MacBook Wi-Fi Vulnerabilities

    David Maynor

    David Maynor demostrated exploiting a remote vulnerability in a third party wireless driver for an Apple Macbook in a video shown at BlackHat USA and DefCon 2006 and mentioned that Apple's built-in wireless drivers also had security problems. Two months later, Apple released security updates to the wireless drivers but without crediting Maynor claiming that he never provided evidence of any vulnerabilities within the Apple-supplied wireless drivers and that the updates were the result of a proactive security audit. Maynor presented at BlackHat DC 2007 in February, showing his e-mails to Apple explaining how to set up an 802.11 fuzzing machine and demonstrating a remote kernel panic triggered over 802.11. In the end, the only public information about Maynor's Wi-Fi vulnerabilities are hype, denial, a media frenzy, and a patch that may or may not have been based on Maynor's findings.

  • www.exploitingiphone.com

    Charlie Miller, Jake Honoroff, Joshua Mason

    New York Times, CNBC, Fox, Reuters, a dedicated domain name? All this for a Safari vulnerability? The blind shellcode development technique described in the paper is cool, but the vulnerability does not deserve so much hype.

Pwnie for Best Song

What kind of award ceremony does not have an award for best song? Let's see if anybody can beat Derek's Twas the night before Christmas.

Nominees

  • Symantec Revolution

    Symantec

    We've got your personal firewalls,
    security is where we stand tall.
    Our brands are known for quality,
    guaranteed to help you succeed!

    We're the leader in Internet security
    People trust our work implicitly
    This world wide conference is to prove Symantec's hot hot hot!
    So raise the roof.

    Symantec Revolution! We're giving you sweet solutions!

  • Set I.T. Managers Free

    Intel

  • Trade Secrets

    Spamtec

    SpamAssassin scores zero in our header. Got so many bots...each one is a proxy...

    So make sure that you don't get it backwards...we some straight hackers...intercepting packets...yeah.

    mp3

  • Let's talk about Sec

    anonymous

    This was pasted into a channel sometime this year. Author unknown.

    CHORUS
    Let's talk about sec baby
    Let's talk about tcp, ip
    Let's talk about all the good codez
    And the bad codez that may be
    Let's talk about sec
    Let's talk about sec
    Let's talk about sec
    Let's talk about sec

    Let's talk about sec for now to the geeklez at home or in the #
    It keeps coming up anyhow
    Don't decoy avoid or make void the topic
    Cuz that ain't gonna stop it
    Now we talk about sec on the radio and video shows
    Many will know anything goes
    Let's tell it how it is, and how it could be
    How it was, and of course, how it should be
    Those who think it's dirty have a choice
    Pick up the needle, press pause, or turn the radio off
    Will that stop us, Pep? I doubt it
    All right then, come on, Spin

    CHORUS

    Hot to trot, make all the shells pop
    She use what she got to get whatever she don't got
    Servers fall like monkey balls, but then again they're only getting rooted
    The sploit is in too deep, no way it can get booted

    Gold, platinum, visa, and amex
    Nothin' too good for the servers she wrecks
    Her victims heads of state, men of taste
    Lawyers, doctors, no one was too great for her to root
    Or even mess with, the Prez she says was next on her list
    And believe me, you, it's as good as true
    There ain't a server alive that she couldn't get into
    She had it all in the bag so she should have been glad
    But she was mad and sad and feelin' bad
    Thinkin' about the things that she never had
    No love, just sec, followed next with a shell and a note
    That last night was dope

    Let's talk about sec, baby (sing it)
    Let's talk about you and me (sing it, sing it)
    Let's talk about all the good codez
    And the bad codez that may be
    Let's talk about sec (come on)
    Let's talk about sec (do it)
    Let's talk about sec (uh-huh)
    Let's talk about sec

    Ladies, all the ladies, louder now, help me out
    Come on, all the ladies - let's talk about sec, all right
    (repeat)

    CHORUS

Calendar
Aug
3
The list of nominees is announced.
Aug
6
Awards ceremony at the BlackHat USA conference in Las Vegas.
Awards Ceremony
when 6:30pm, Wed, Aug 6th 2014
where Blackhat USA conference, Mandaley Bay, Las Vegas