Pwnie Awards 2016

Nominations for Pwnie Awards 2008

Pwnie for Best Server-Side Bug

Awarded to the person who discovered the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.

  • Windows IGMP kernel vulnerability (CVE-2007-0069)

    Discovered by: Alex Wheeler and Ryan Smith

    Not only did Alex Wheeler and Ryan Smith lay claim to a lucky CVE number, they also laid down the law with a remote kernel code execution vulnerability that was exploitable in the default firewall configuration on Windows XP, 2003 and Vista. Despite the SWI team's claim that its exploitation is "unlikely in real-world conditions", Kostya Kortchinsky was able to develop a highly reliable exploit for this vulnerability.

  • NetWare kernel DCERPC stack buffer overflow

    Discovered by: Nicolas Pouvesle

    At REcon 2008, Nicolas Pouvesle demonstrated some amazing NetWare-Fu with his kernel exploitation techniques and staged payloads for a stack overflow in the DCERPC stack in the NetWare kernel. Besides impressing everyone at the conference (not to mention all of the Quebecois women around Montreal), he also struck fear into the hearts of NetWare administrators everywhere. All three of them.

    This vulnerability also shows how there can often be similar vulnerabilities in different implementations of the same functionality. And when a vulnerability in one implementation is found and fixed, similar bugs in other implementations may go unnoticed for a while. What does it take to make a vendor like Novell audit their DCERPC code for simple vulnerabilities? A widespread worm exploiting a stack overflow in the Microsoft DCERPC stack, crippling large portions of the Internet, and supposedly causing a blackout of the entire East Coast of the USA? Apparently not.

  • ClamAV Remote Command Execution (CVE-2007-4560)

    Discovered by: Nikolaos Rangos

    This vulnerability was a remote command injection in the recipient e-mail address of an e-mail message examined by the ClamAV open-source AntiVirus scanner. In a nod to 1993, ClamAV called sendmail with popen(), placing the recipient e-mail address right there in the command. With open source anti-virus products, Linus' Law clearly does hold: "Given enough eyeballs, all bugs are shallow", even the ones that we knew about fifteen years ago.

  • SQL Server 2005 (CVE-2007-4560)

    Discovered by: Brett Moore

    Just in time for the Pwnie nominations to close, Brett Moore and Microsoft bring you the first security bulletin affecting SQL Server 2005. This vulnerability, exposed to an unprivileged SQL user, occurs when SQL Server attempts to restore a corrupt database backup. The database backup may be hosted on a remote SMB or WebDAV server, making this a remote code execution exploit that can also be triggered through a SQL injection vulnerability.

    The best part is from Insomnia Security's advisory:

    SQL server appears to use its own dynamic heap management, which makes exploitation different from a standard heap overflow. Using a custom heap management routines means that the standard heap protections mechanisms are not in place.

    If this vulnerability wins a Pwnie, David Litchfield has promised to come up on stage and present it to Brett.

Pwnie for Best Client-Side Bug

Awarded to the person who discovered the most technically sophisticated and interesting client-side bug. These days, ‘client’ is pretty much synonymous with ‘web browser’, but don't forget about all the media player integer overflows!

  • Multiple URL protocol handling flaws

    Discovered by: Nate McFeters, Rob Carter, and Billy Rios

    Not just a few vulnerabilities, but an entire attack vector, URI protocol handler flaws pitted web browser and application vendors against each other as one web browser was exploitable through another and each vendor blamed the other for the vulnerability.

  • Slirpie

    Discovered by: Dan Kaminsky, RSnake, Dan Boneh

    Presented at Toorcon 2007, this attack used DNS Rebinding to bypass the Same Origin Policy and build a tunnel into a remote network using only a lured web browser (and its associated grab bag of Web 2.0 technologies like Flash, Java, and JavaScript). This vulnerability can best be described as a design bug in the Web 2.0 and we're all waiting for it to be fixed in Web 2.0 Service Pack 1.

  • Safari carpet bomb (CVE-2008-2540)

    Discovered by: Laurent Gaffié, Nitesh Dhanjani and Aviv Raff

    Nitesh Dhanjani discovered a design error in Safari that allows an attacker to automatically download files to the user's configured download directory (~/Downloads on Leopard, the desktop on previous versions of OS X and Windows). This can be used for a variety of attacks. First, you can litter the user's desktop with files or drop malware onto their desktop, hoping that the user will click run it. Or you can just let Internet Explorer load a planted DLL automatically. This vulnerability also has the dubious distinction of bringing the term "blended threat" into the security vernacular.

  • Adobe Flash DefineSceneAndFrameLabelData vulnerability (CVE-2007-0071)

    Discovered by: Mark Dowd and wushi

    This vulnerability requires no introduction. Independently discovered by both Mark Dowd and wushi of team509, this vulnerability showed how what appeared at first to just be a NULL-pointer dereference could be manipulated into yielding reliable cross-version remote code execution . For an excellent summary of the vulnerability and discussion on proper handling of malloc() return values, see the Matasano blog .

    This vulnerability was also used in a mass SQL-injection assisted malware attack in late May 2008 that resulted in much security industry drama and at least a few stolen World Of Warcraft passwords. The fact that Adobe took 15 months to patch this vulnerability suggests that they believed it to be a non-exploitable NULL-pointer dereference. Oops.

  • QuickTime (CVE-2008-*)

    Discovered by: everybody and their mom

    No, this nomination is not for a vulnerability in Apple QuickTime, it is for QuickTime itself as a client-side vulnerability. A quick search of CVE entries yields 62 vulnerabilities in Apple QuickTime just in the last two years. The discoverer of the next QuickTime bug wins a free trip to the salad bar. Who would have thought that putting code originally written in the early nineties into a web browser would be a bad idea?

Pwnie for Mass 0wnage

Awarded to the person who discovered the bug that resulted in the most widespread exploitation. Also known as ‘Pwnie for Breaking the Internet.’

  • Windows IGMP kernel vulnerability (CVE-2007-0069)

    Discovered by: Alex Wheeler and Ryan Smith

    Not only did Alex Wheeler and Ryan Smith lay claim to a lucky CVE number, they also laid down the law with a remote kernel code execution vulnerability that was exploitable in the default firewall configuration on Windows XP, 2003 and Vista. Despite the SWI team's claim that its exploitation is "unlikely in real-world conditions", Kostya Kortchinsky was able to develop a highly reliable exploit for this vulnerability.

  • An unbelievable number of WordPress vulnerabilities (CVE-2008-*)

    Discovered by: everybody who cared to look

    It seems like hardly a week goes by without a new vulnerability in WordPress or one of its many plugins. Many of them are actively being exploited to own popular WordPress blogs and use them to serve spam or client-side exploits to unsuspecting visitors. The popularity of WordPress combined with the abysmal security practices of WordPress plugin developers places the entire Internet at risk and is worthy of a nomination.

  • Debian's random number generator with 15 bits of entropy (CVE-2008-0166)

    Discovered by: Luciano Bello

    The crippled OpenSSL random number generator in Debian lead to numerous weak SSL and SSH keys, allowing attackers to break RSA encryption on an unprecedented scale. Since the flaw was announced, Luciano Bello, Maximiliano Bertacchini, and Paolo Abeni have released a patch to Wireshark that decrypts SSL sessions (bypassing PFS) that involve one of the weak keys

  • XSS of the entire web for users of Earthlink, Comcast and Verizon

    Discovered by: Dan Kaminsky

    Dan Kaminsky discovered that many ISPs that hijack non-existent domains to serve ads are vulnerable to cross-site scripting attacks, allowing an attacker to compromise any website on the Internet. Dan gets bonus points for using a Rickroll to demonstrate the bug.

  • SQL injection in more than 500,000 web sites

    Discovered by: Rain Forest Puppy back in 1998

    SQL injection attacks are not new, but this year we saw an upsurge in the number of automated attacks against vulnerable websites. Reportedly more than half a million websites were compromised.

Pwnie for Most Innovative Research

Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.

  • Application-Specific Attacks: Leveraging the ActionScript VM

    Mark Dowd

    Mark Dowd exploited a NULL pointer dereference in the Flash runtime to desynchronize the ActionScript bytecode verifier, inject malicious bytecode instructions and finally execute x86 shellcode. The combination of techniques used by Dowd is beyond anything seen before. The details of the exploit are published in a 25-page paper and explained for non-exploit writers in a Matasano blog post.

  • Splitting Gemini

    Adam Cecchetti

    This talk demonstrates a post-root technique for altering the OS scheduler to remove and control a core from a multi-core CPU. The ability to completely control both the scheduler and an entire core puts an attacker in a unique and defensible position for maintaining access to a system.

  • Lest We Remember: Cold Boot Attacks on Encryption Keys

    J. Alex Halderman, Seth Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph Calandrino, Ariel Feldman, Rick Astley, Jacob Appelbaum, Edward Felten

    This paper proved that DRAMs used in most modern computers retain memory contents after powering off, including data like passwords and encryption keys, for much longer than most people believed. The authors developed new techniques for recognizing and recovering encryption keys even after some bits have been lost due to memory decay. The impact of the research was demonstrated with software to break the full disk encryption implementations on Windows, OS X and Linux.

  • Defeating a VM packer with a decompiler written in OCaml

    Rolf Rolles

    This work describes an innovative attack on virtualizing protections. The idea is to create a compiler with a poly/metamorphic front-end that deobfuscates and recompiles the proprietary bytecode back into x86. The compiler was implemented in OCaml and successfully defeated multiple virtualizing protectors.

  • Heaps about Heaps

    Brett Moore

    Brett Moore released the first paper introducing new Windows heap exploitation techniques in a couple of a years. His work shows that the safe unlinking and heap cookies in Windows Server 2003 can be bypassed and proved this with a Citrix Metaframe Server exploit.

Lamest Vendor Response

Awarded to the vendor who mishandled a security vulnerability most spectacularly.

  • McAfee's "Hacker Safe" certification program

    XSS vulnerabilities in multiple sites certified as "Hacker Safe"

    More than 60 web sites certified to be "Hacker Safe" by McAfee's ScanAlert service were reported as vulnerable to XSS attacks, including the ScanAlert web site itself. Joseph Pierini, director of enterprise services for the "Hacker Safe" program, maintains that XSS vulnerabilities can't be used to hack a server:

    Cross-site scripting can't be used to hack a server. You may be able to do other things with it. You may be able to do things that affect the end-user or the client. But the customer data protected with the server, in the database, isn't going to be compromised by a cross-site scripting attack, not directly.

    Another McAfee quote that is certain to become a timeless hacker classic is "we go in like a super hacker".

  • Linus Torvalds

    Linux kernel non-disclosure policy

    Proving that open-source security has not improved much since it relied on the idea of getting enough eyeballs to make bugs shallow, Linus Torvalds demonstrated his incompetence at handling security issues by defending silent patching of security vulnerabilities in the Linux kernel:

    So I personally consider security bugs to be just "normal bugs". I don't cover them up, but I also don't have any reason what-so-ever to think it's a good idea to track them and announce them as something special.

    Adding insult to injury:

    Btw, and you may not like this, since you are so focused on security, one reason I refuse to bother with the whole security circus is that I think it glorifies - and thus encourages - the wrong behavior.

    It makes "heroes" out of security people, as if the people who don't just fix normal bugs aren't as important.

    For more background on the current Linux security fiasco, see this thread on Dailydave.

  • Wonderware

    Response to SCADA denial of service vulnerability

    CORE security reported a denial of service vulnerability in Wonderware's SCADA software. It is no wonder that the vendor took a long time to even acknowledge the vulnerability and their response indicated total incompetence:

    2008-01-30: Initial contact email sent by to Wonderware setting the estimated publication date of the advisory to February 25th.
    2008-01-30: Contact email re-sent to Wonderware asking for a software security contact for Wonderware InTouch.
    2008-02-06: New email sent to Wonderware asking for a response and for a software security contact for Wonderware InTouch.
    2008-02-28: Core makes direct phone calls to Wonderware headquarters informing of the previous emails and requesting acknowledgment of the notification of a security vulnerability.
    2008-02-29: Vendor asks for a copy of the proof of concept code used to demonstrate the vulnerability.
    2008-03-03: Core sends proof-of-concept code written in Python.
    2008-03-05: Vendor asks for compiler tools required to use the PoC code.
    2008-03-05: Core sends a link to http://www.python.org

  • NXP (formerly Philips Semiconductors)

    Lawsuit against researchers who broke the Mifare Classic smart cards

    NXP has sued Radboud University Nijmegen (in the Netherlands), to block publication of a research paper, "Dismantling Mifare Classic", detailing an attack against the RFID chips used in many public transport systems around the world.

    The response from Transport of London to the news of successful cloning of Oyster cards includes this priceless comment:

    This was not a hack of the Oyster system. It was a single instance of a card being manipulated.

    Update: This story has a happy end with the lawsuit being dismissed by a Dutch court on July 18, 2008.

Pwnie for Most Overhyped Bug

Awarded to the person who discovered a bug resulting in the most hype on the Internets and in the mainstream media. Bonus points for bugs that turn out to be impossible to exploit in practice. Also known as ‘Pwnie for Pwning the Media.’

  • Unspecified DNS cache poisoning vulnerability (CVE-2008-1447)

    Dan Kaminsky

    Dan Kaminsky is credited with discovering some unspecified vulnerabilities in DNS that allow for cache poisoning on a massive the-intarweb-tubes-will-burst-and-flood-your-basement scale. There has been massive media attention over this vulnerability and a large amount of backlash in the security community over the lack of details. When the full details of the vulnerability are revealed at BlackHat, the masses will decide whether the hype and secrecy were worth it. And, more importantly, the Pwnie Judges will vote on whether Dan gets the Pwnie for Most Overhyped Bug.

  • BT Home Hub authentication bypass (CVE-2008-5383 and CVE-2008-5384)

    Adrian 'pagvac' Pastor

    GNUCITIZEN and pagvac initiated a media blitz over this vulnerability which allows a malicious web page to use a CSRF attack to bypass authentication and modify the settings on the most popular home DSL router in the UK. This could allow a remote site to disable your firewall, modify your DNS server settings, or enable remote administration of your router. The bug was real, but it was accompanied by such a massive media campaign that it surely deserves a nomination.

  • Adobe Flash Player non-0day remote code execution (BID 29386)

    Symantec

    Those sirens that you heard in the middle of the night on May 28, 2008 weren't an air raid or tornado alert. No, they were because Symantec had elevated the ThreatCon to chartreuse! Symantec observed active exploitation of a zero-day vulnerability in Adobe Flash. It turned out, however, that it wasn't a zero-day bug at all, but instead an exploit for the DefineSceneAndFrameLabelData vulnerability patched a month prior.

Pwnie for Best Song

What kind of awards ceremony does not have an award for best song? Let's see if anybody can beat Derek's Twas the night before Christmas.

  • Packin' The K!

    K & Key, Kaspersky Labs

    On hackers we put the hurtski,
    we use Kaspersky, we pack the K!

  • The Data Song (Get Me LiveSecurity)

    Scott Pinzon, WatchGuard

    A departure from the traditional ego-driven security songs, The Data Song tells the story from the perspective of the data who desperately needs protection. Sung in a sultry female voice:

    Gimme a place of shelter, baby,
    that can weather any storm.
    I'm your network data, baby,
    gotta keep me safe and warm!

  • Clockwork

    Dr. Raid

    A hip-hop anthem chiding script kiddies for using skills they haven't earned.

    Fuckin circus kids, got your worthless scripts
    but you couldn't own a box if you purchased it.
    You lookin' nervous, watchin' on your servers kid
    but I pop you client side - while you're surfin' shit!

    MP3 and lyrics

  • Symantec Song

    Doc Deazy

    We received a copy of the following email sent to Symantec:

    Yo Symantec ballerz,

    I've been using your products for some time and I find them to be the flyest dopest freshest AV products for protecting my internet mhz from the hackerz.

    So fly they make a brother just wanna kick a verse:
    (please feel free to use this in your advertising campaigns)

    In AV we get much respect
    Wooaaahar, got your 0days in check

    Forget McAfee, they get stepd on
    bugs in their engine aint even a blip on threatcon
    Connected, Protected, security2.0 we rep it
    Advanced analysis not just virus defs kid
    we got 3 types of crazy and 60 of ill
    we already got 50 ways to detect blue-pill

    Hacker problems? all in check
    endpoint sec: sygate and symantec
    From macOSX to windows, same thing go's
    we pin those wack hackers
    sigs for un-packers
    malware lacks tactics
    go home and practice young fellow
    no mal code gets past
    THE BIG YELLOW

    Number 1 for AV software, dont dare
    compare, we're the hardest
    look at the percentage share we got of this market
    corporate servers or home users
    install sophos if u want something useless
    symantec kingz shit on all internet abusers
    we run this shit like electricity in computers
    get your thorts on straight mate
    we got peter norton, AV HEAVY WEIGHT

    Thanks for your time.

    Your Pal,
    Doc Deazy.

Pwnie for Most Epic FAIL

Sometimes giving 110% just makes your FAIL that much more epic. And what use would the Internet be if it wasn't there to document this FAIL for all time?

This award is to honor a person or company's spectacularly epic FAIL.

  • Todd Davis, Lifelock CEO for posting his SSN on the web

    Todd Davis, CEO of a fraud-prevention company called Lifelock, had publicly posted his Social Security number (457-55-5462) to show his confidence in the services offered by his company. Of course, a clever marketing stunt does not mean that the protection is actually worth anything. As expected, it did not take long for Davis' identity to get stolen: somebody in Texas got $500 from an online payday loan company using Davis' SSN.

  • Debian for shipping a backdoored OpenSSL library for two years (CVE-2008-0166)

    Debian Project

    On May 2nd, 2006 Kurt Roeckx commented out two very important lines of code in the OpenSSL pseudo-random number generator (PRNG). The reason? Valgrind and Purify complained about the use of uninitialized data in the function that seeded the PRNG. By commenting out these two lines of code, the randomness of all cryptographic keys generated by the Debian OpenSSL package was reduced to about 15 bits, or less than 32,768 unique keys in practice.

    By crippling the PRNG in the OpenSSL library, not only were all cryptographic keys generated on Debian-based systems suspect, but all cryptographic operations performed by these systems as well. Since the flaw was announced, Luciano Bello, Maximiliano Bertacchini, and Paolo Abeni have released a patch to Wireshark that decrypts SSL sessions (bypassing Perfect Forward Secrecy) that involve one of the weak keys. To this date, Kurt Roeckx still hosts vulnerable versions of the OpenSSL library in his personal directory on the Debian servers and has not been stripped of his Debian developer status.

  • Windows Vista for proving that security does not sell

    $100,000,000 invested in security and what does Microsoft have to show for it? Customers are revolting against Windows Vista and nobody who has a choice is choosing to upgrade. It doesn't matter that Vista really is the most secure Microsoft operating system ever made, all customers care about is the annoyance of the UAC prompts, the confusing user interface and the insane hardware requirements.

    The good thing about the Vista debacle is that no other vendor will care to do such a security push, which means that we'll be able to easily own any piece of software for the foreseeable future.

Lifetime Achievement Award

Most hackers have the personality of a supermodel who does discrete mathematics for fun. Like mathematicians, hackers get off on solving very obscure and difficult to even explain problems. Like models, hackers wear a lot of black, think they are more famous than they are, and their career effectively ends at age 30. Either way, upon entering one's third decade, it is time to put down the disassembler and consider a relaxing job in management.

This award is to honor the previous achievements of those who have moved on to bigger and better things such as management or owning (in the traditional sense) a coffee shop.

Calendar
Jun
13
2016 Nominations open.
Jul
1
Deadline for submitting nominations.
Jul
18
The list of nominees is announced.
Aug
3
Awards ceremony at the BlackHat USA conference in Las Vegas.
Awards Ceremony
when Wed, Aug 3rd 2016
where BlackHat USA 2016, Mandalay Bay, Las Vegas