Nominations for Pwnie Awards 2010
Pwnie for Best Server-Side Bug
Awarded to the person who discovered the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.
SMB2 Negotiate Protocol Request Vulnerability (CVE-2009-3103)
In September 2009, Laurent Gaffié dropped a Windows 7 vulnerability in the SMB2 code, which quickly turned out to be exploitable. The vulnerability was not only technically interesting, but it caused some embarrassment for Microsoft because it was found by a simple 20-line fuzzer. Few security researchers believed that finding a remote Windows 7 bug would be that easy, but Laurant proved them wrong again by releasing multiple additional SMB2 vulnerabilities over the next few months.
Windows SMB NTLM Authentication Weak Nonce (CVE-2010-0231)
Hernan Ochoa uncovered an ancient vulnerability that affected all versions of Windows from NT4 all the way up to Windows Server 2008. The vulnerability was caused by insuffucient randomness in the challenges generated by the SMB server and could be used to access the server without the need for any credentials.
Apache Struts2 framework remote code execution (CVE-2010-1870)
Do you use the Struts2 framework in your enterprise web application? Meder Kydyraliev discovered that an single HTTP request with just five special parameters is enough to execute arbitrary Java code on the webserver. Meder gets bonus points for having to track down developers on IRC to get the vulnerability fixed after receiving no response from email@example.com.
iPhone remote SMS exploit (CVE-2009-2204)
Charlie and Collin spent a lot of effort on fuzzing the iPhone with injected SMS messages and discovered a memory corruption vulnerability that could be triggered with a remote SMS message. Their heap manipulation with multiple SMS messages and resulting exploit were hardcore.
IIS FTP Server NLST buffer overflow (CVE-2009-3023)
Kingcope's latest vulnerability was a stack overflow in the IIS FTP server. It was posted on the Full-Disclosure mailing list and was accompanied by working exploit code. The vulnerability was stopped by the stack cookie on IIS6, but it was easily exploitable on older versions.
Pwnie for Best Client-Side Bug
Awarded to the person who discovered the most technically sophisticated and interesting client-side bug. These days, ‘client’ is pretty much synonymous with ‘web browser’, but don't forget about all the media player integer overflows!
IE Aurora vulnerability (CVE-2010-0249)
The Internet Explorer vulnerability used in the Aurora attacks made many people aware of the danger or targeted attacks. The exploit found in the wild targeted IE6, but this use-after-free vulnerability was easily exploitable even on Windows 7.
Windows EOT font parser vulnerability (CVE-2009-2514)
Jumping from an iframe straight into the kernel! Tavis Ormandy discovered a memory corruption vulnerability in the win32k code that parses font files embedded on web pages. This vulnerability allows attackers to run arbitrary code in the kernel, bypassing any user-level security and sandboxing technologies.
Adobe U3D Mesh Declaration Array Overrun (CVE-2009-3953)
Adobe PDF has been a favorite target of attackers over the last year. Felipe discovered a bug in the U3D file format which affected all recent versions of Adobe Reader. Exploiting it required some very complicated heap manipulation, showing how complex exploitation really is.
Flash AVM JIT compiler code execution (CVE-2010-1297)
This vulnerability was found in the wild. It was a technically sophisticated exploit that used malformed AVM instructions in a Flash file to force the JIT compiler to make incorrect assumptions about the stack layout and generate invalid code. This can be used by an attacker to redirect the code execution to shellcode.
Windows Help Center escape sequence vulnerability (CVE-2010-1885)
This vulnerability caused a lot of trouble for Tavis when he posted it to the Full-Disclosure mailing list, but even the most ardent supporters of responsible disclosure have to agree that the exploitation method for it is very impressive. To achieve silent code execution, Tavis chained together a URL escaping bug in helpctr.exe, a cross-site scripting bug in a system HTML file, an IE-specific script attribute and an iframe in an ASX file displayed by Windows Media Player.
Java Trusted Method Chaining (CVE-2010-0840)
This exploit basically breaks the whole Java security model. It's more a demonstration of a new bug class than just one vulnerability. Apple patches Java three months after every new exploit comes out, and none of the IDS/AV companies could figure out how to write this exploit, so there was really no defence for quitea long time. Custom Java compilers doing complex, cross platform, 100% reliable exploits For The Win!.
Pwnie for Best Privilege Escalation Bug
Award to the person who discovered and/or exploited the most technically sophisticated and interesting privilege escalation vulnerability. As more defense-in-depth systems like Mandatory Access Control and Virtualization are deployed, privilege escalation vulnerabilities are becoming more important. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.
Windows NT #GP Trap Handler (CVE-2010-0232 )
One of the most complicated vulnerabilities of 2010, this privilege escalation bug required more than a few tricks to exploit. Its discovery shows a rare understanding of some of the more obscure aspects of the Intel architecture. The bug was present in all versions of Windows from NT 3.1 all the way up to Windows 7.
Linux sock_sendpage NULL pointer dereference (CVE-2009-2692)
In August 2009, Tavis and Julien discovered a very easily exploitable NULL pointer dereference bug that affected all Linux kernels since 2001. Their advisory led to highly reliable exploits for all popular architectures, including x86, x64, PPC and and ARM.
Pwnie for Most Innovative Research
Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.
Flash Pointer Inference and JIT Spraying
Dion presented two new techniques for defeating ASLR and DEP using the Flash AVM2 virtual machine and JIT engine. His work was novel and opened up a new direction in exploitation research.
This cool paper demonstrates a technique for automatically transforming shellcode into a representation that looks like English text.
Practical Windows XP/2003 Heap Exploitation
This paper brings a depth of understanding to technical heap internals that has seldom been seen before. Impressive not only for showing brand new practical heap exploitation techniques, but also for raising the bar on the thoroughness of research methods.
Adobe Reader's Custom Memory Management: A Heap of Trouble
This is a PDF-specific exploitation research focusing on the custom heap management on Adobe Reader. When Adobe Reader is processing a PDF file, in most allocation cases, it does not directly use the system's heap, but maintains its own heap management system on top of the system-level heap management system. This feature provides an easier and reliable way to leverage PDF heap-based vulnerabilities.
Zero-sized heap allocations vulnerability analysis
In his talk at Hackito Ergo Sum conference 2010, Julien Vanegue presents a semi-automated theorem proving based approach to source code security review using the HAVOC extended static checker , a heap-aware verifier for C programs developed at Microsoft Research. His simple experiment on a single critical property fixed about fifteen memory corruption bugs in various Windows software components. Zero allocations are not bugs per se but those are signs that something odd is going on as they are rarely intended. This analysis technique is relevant on all OS including many UNIX flavors as most user-land and kernel-land allocators are exposed. His presentation also includes an original perspective on near-zero allocation vulnerabilities, in particular when the effective heap allocation size and the size-holding variable are desynchronized.
Practical Padding Oracle Attacks
The padding oracle attack is a powerful crypto attack against CBC-mode encryption. By giving an oracle which on receipt of a ciphertext, decrypting it and then replying to the sender whether the padding is correct or not, it is possible to efficiently decrypt data without knowing the encryption key. In their research Juliano and Thai used this crypto attack to create a whole new set of practical web hacking techniques.
Lamest Vendor Response
Awarded to the vendor who mishandled a security vulnerability most spectacularly.
OpenCart CSRF vulnerability
Congrats to Daniel Kerr for the EPIC mishandling of a CSRF vulnerability submitted by one of the users.
On 2010-01-22, at 7:31 PM, Daniel Kerr wrote: This sort of thing is down to the client. The software on a clients computer is nothing to do with opencart! There is no way that I’m responsible for a client being stupid enough to click links in emails.
SpringSource remote code execution vulnerability (CVE-2010-1622)
Most nominations for Lamest Vendor Response are a result of a vendor downplaying a vulnerability, but this particular case is different. In their advisory, SpringSource just casually announced their biggest security vulnerability ever as a "Critical" severity causing companies everywhere to go nuts patching and doing Emergency Releases. The vendor pretty much just said "Yeah remote code exec with 100% reliability on anybody running our shit, you should patch dude".
What they DIDN'T mention is that this can only be exploited on a URL path that points to an uncompiled JSP, which is very rare. For any decently large website the window of vulnerability is extremely small or non-existent due to pre-compiled JSPs. This is all outlined in the original report by Meder Kydyraliev, who discovered the bug.
It should be noted that, based on my quick inspection of the code, TldLocationsCache gets URLs from class loader only once upon it's initialization and thus, in order for an attack to work with Tomcat+Spring MVC combination, an attacker has to submit her request to overwrite class loader's URLs before any of the JSP pages have been requested, which makes this attack a lot harder to carry out.
Novell iManager vulnerabilities
The CORE security team never fails to disappoint when it comes to lame vendor responses. Their interaction with the Novell iManager team regarding a buffer overflow and a DoS vulnerability can be summarized in one sentence: "No reply received"
2010-06-02: Paula Gephart from the iManager team notifies she was out of town and the email's vacation rule has not worked for some reason. The iManager team also notifies that they would like to coordinate a release and they will re-establish the contact as soon as they can find an acceptable release mechanism.
2010-06-02: Core notifies that, given the 2nd publication deadline for the advisory has already passed and the lack of an answer from the iManager team to the questions asked in the email sent in [2010-05-20], it is best (according to the Core's assessment on how to help users to reduce risk) to inform the vulnerable users about their risk and provide whatever mitigation or workarounds than to postpone disclosure to an uncertain future date. Core also notifies the advisory has already entered within the publication system and it would be hard to stop it, but it can be done if the iManager team provides the answers requested in the previous emails. Core notifies that will be waiting for this information until the end of the day and this deadline should be considered as final. No reply received.
2010-06-02: The advisory CORE-2010-0316 is published.
Read the entire timeline for more laughs.
LANRev remote code execution
The LANRev remote administration program gained a lot of publicity when it was used by the Lower Merion School District in Pennsylvania to spy on their students at home. Addiging fuel to the fire, Leviathan Security found out that the LANRev software had a vulnerability that allowed anybody on the local network to take full control of any computers running the LANRev software. The response from the software vendor was hilarious:
“Is it theoretically possible [to exploit this]? Of course it is,” said Tim Parker, vice president of research and development for Absolute. “[But] we are not aware of any customer who ever had an issue with this. If any customer did express concern, we would immediately supply them with a patch.”
Pwnie for Best Song
What kind of awards ceremony does not have an award for best song? There is strangely enough a long tradition of hacker-written songs and raps (parodies and originals). And in Pwnies past, we somehow coerced HD and Halvar to rap some of these. And rather then let it become anyone else's turn, we have a new rule. Nominations for 'Best Song' must actually have audio. For your listening pleasure, the nominees are:
Kick ass hip hop track from Dual Core about an Eastern European cyber criminal trying to feed his family. He turns to identity theft to survive in the failed economy and then finds out that the admin of the dark net he uses for trading is a CIA plant as other members of the forum start disappearing.
His name is Victor an elite code scripter
from a soviet satellite that is cold in the winter.
Pack my own malware, write my own cryptors
with more entropy than a Mersenne Twister
evade anti-virus, IDS filters
leave the scene cleaner than mops and a Swiffer
A day in the life of a blackhat:
Through the switches and into your cubicle
across the PBX and into your server room,
I know every corporate security game.
To get in, I social engineer my way
forwarding traffic from every machine,
this blackhat's got his eyes on everything!
A cover of Nickleback's "Rockstar" with Hoff's (@beaker) rendition covering last year's Defcon
‘Cause we all just wanna be security rockstars
Hacking parking meters,
windows-powered smart cars
The girls ain’t easy but the caffeine’s cheap
We’ll all stay skinny, can’t afford to eat
And we’ll hang out in the coolest bars
moochin off those vendors
and their sales whores
Every good script kiddie
Gonna wind up there
No pretty people
but we just wont care
Hey hey I’ll be a security rockstar
Hey hey I’ll be a security rockstar
Frame by Frame
This is an attempt to write a hacker metal song whose lyrics won't offend metal heads or hackers. Cryptonomicon is a studio-only "band" project by Simple Nomad, and this is (so far) the only hacker song, the others are your regular fucked up angst outings.
trolling through the ether, crawling down the wires
dredging through the sludge and the muck and the mire
flipping all the switches, watching for the shock
fingers on the keys and i'm ready to rock
frame by frame
i'm bringing up the slack
i'm tearing up the stack
i'm planning my attack
frame by frame
it's a godless birth
time to lock and load
and scorch the fucking earth
Pwned - 1337 edition
you wont find shit...why is that?
my shell code repairs the app's entire stack
looking at your application and I'm salivatin'
cuz you failed validation on sized allocations
calibratin' for my address offsets
your process just joined sophsec's botnet
... jack you by the IP octet
and that goes for any kiddie that talks shit
if I talked it I popped it
code that I audit I found holes & locked it
you couldn’t overflow the kitchen sink
let me show you how it works
(click click) click this link
Payment Card Security
Pci has had a lot of criticism. Hopefully with this song we know it is a joke:
Pwnie for Most Epic FAIL
Sometimes giving 110% just makes your FAIL that much more epic. And what use would the Internet be if it wasn't there to document this FAIL for all time?
This award is to honor a person or company's spectacularly epic FAIL.
McAfee false positive bricks enterprise PCs worldwide
McAfee releasing a signature file with a false positive in a core windows component has to be a candidate for epic fail, or Mass 0wnage depending on how you see it.
Netkairo - Mariposa Botnet
The Mariposa botnet, at its peak, is believed to have had as many as 800,000 victims, before it was taken down starting in late 2009. It was also a blueprint for failure.
Failure #1: The reason it was taken down is because the people behind it used real names when registering domains. This made it relatively easy for police to track down who was behind it.
Failure #2: Once the takedown was in process, Netkario furiously tried to regain control of the botnet. In the process of doing this, he connected to the command and control server without using a VPN or proxy, revealing his actual IP. This made it even easier to track him down.
Failure #3: Once being busted for operating this botnet, Netkario and others involved with Mariposa actually tried to get jobs with AV vendor Panda Security, becoming abusive towards them once Panda indicated that they weren't interested in employing them because of their histories.
Microsoft Internet Explorer 8 XSS filter
Internet Explorer 8 was released with built in cross-site scripting filters which, for nearly a year after release, enabled cross-site scripting on otherwise secure sites. Ironic. Epic. Fail.
Unreal IRCD backdoored source tarball
The backdoored source code of Unreal IRCD was not spotted for 7 months:
We found out that the Unreal220.127.116.11.tar.gz file on our mirrors has been replaced quite a while ago with a version with a backdoor (trojan) in it. This backdoor allows a person to execute ANY command with the privileges of the user running the ircd. The backdoor can be executed regardless of any user restrictions (so even if you have passworded server or hub that doesn't allow any users in).
Infected USB drives handed out by IBM at the AusCERT conference
IBM has admitted that the complimentary USB drives it handed out this week at the AusCERT conference on the Gold Coast, Queensland, were infected by not one, but two pieces of malware.