Pwnie Awards 2014

Nominations for Pwnie Awards 2010

Pwnie for Best Server-Side Bug

Awarded to the person who discovered the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.

  • SMB2 Negotiate Protocol Request Vulnerability (CVE-2009-3103)

    Credit: Laurent Gaffié

    In September 2009, Laurent Gaffié dropped a Windows 7 vulnerability in the SMB2 code, which quickly turned out to be exploitable. The vulnerability was not only technically interesting, but it caused some embarrassment for Microsoft because it was found by a simple 20-line fuzzer. Few security researchers believed that finding a remote Windows 7 bug would be that easy, but Laurant proved them wrong again by releasing multiple additional SMB2 vulnerabilities over the next few months.

  • Windows SMB NTLM Authentication Weak Nonce (CVE-2010-0231)

    Credit: Hernan Ochoa

    Hernan Ochoa uncovered an ancient vulnerability that affected all versions of Windows from NT4 all the way up to Windows Server 2008. The vulnerability was caused by insuffucient randomness in the challenges generated by the SMB server and could be used to access the server without the need for any credentials.

  • Apache Struts2 framework remote code execution (CVE-2010-1870)

    Credit: Meder Kydyraliev

    Do you use the Struts2 framework in your enterprise web application? Meder Kydyraliev discovered that an single HTTP request with just five special parameters is enough to execute arbitrary Java code on the webserver. Meder gets bonus points for having to track down developers on IRC to get the vulnerability fixed after receiving no response from security@struts.apache.org.

  • iPhone remote SMS exploit (CVE-2009-2204)

    Credit: Charlie Miller and Collin Mulliner

    Charlie and Collin spent a lot of effort on fuzzing the iPhone with injected SMS messages and discovered a memory corruption vulnerability that could be triggered with a remote SMS message. Their heap manipulation with multiple SMS messages and resulting exploit were hardcore.

  • IIS FTP Server NLST buffer overflow (CVE-2009-3023)

    Credit: Kingcope

    Kingcope's latest vulnerability was a stack overflow in the IIS FTP server. It was posted on the Full-Disclosure mailing list and was accompanied by working exploit code. The vulnerability was stopped by the stack cookie on IIS6, but it was easily exploitable on older versions.

Pwnie for Best Client-Side Bug

Awarded to the person who discovered the most technically sophisticated and interesting client-side bug. These days, ‘client’ is pretty much synonymous with ‘web browser’, but don't forget about all the media player integer overflows!

  • IE Aurora vulnerability (CVE-2010-0249)

    Credit: APT

    The Internet Explorer vulnerability used in the Aurora attacks made many people aware of the danger or targeted attacks. The exploit found in the wild targeted IE6, but this use-after-free vulnerability was easily exploitable even on Windows 7.

  • Windows EOT font parser vulnerability (CVE-2009-2514)

    Credit: Tavis Ormandy

    Jumping from an iframe straight into the kernel! Tavis Ormandy discovered a memory corruption vulnerability in the win32k code that parses font files embedded on web pages. This vulnerability allows attackers to run arbitrary code in the kernel, bypassing any user-level security and sandboxing technologies.

  • Adobe U3D Mesh Declaration Array Overrun (CVE-2009-3953)

    Credit: Felipe Andres Manzano

    Adobe PDF has been a favorite target of attackers over the last year. Felipe discovered a bug in the U3D file format which affected all recent versions of Adobe Reader. Exploiting it required some very complicated heap manipulation, showing how complex exploitation really is.

  • Flash AVM JIT compiler code execution (CVE-2010-1297)

    Credit: Unknown

    This vulnerability was found in the wild. It was a technically sophisticated exploit that used malformed AVM instructions in a Flash file to force the JIT compiler to make incorrect assumptions about the stack layout and generate invalid code. This can be used by an attacker to redirect the code execution to shellcode.

  • Windows Help Center escape sequence vulnerability (CVE-2010-1885)

    Credit: Tavis Ormandy

    This vulnerability caused a lot of trouble for Tavis when he posted it to the Full-Disclosure mailing list, but even the most ardent supporters of responsible disclosure have to agree that the exploitation method for it is very impressive. To achieve silent code execution, Tavis chained together a URL escaping bug in helpctr.exe, a cross-site scripting bug in a system HTML file, an IE-specific script attribute and an iframe in an ASX file displayed by Windows Media Player.

  • Java Trusted Method Chaining (CVE-2010-0840)

    Credit: Sami Koivu

    This exploit basically breaks the whole Java security model. It's more a demonstration of a new bug class than just one vulnerability. Apple patches Java three months after every new exploit comes out, and none of the IDS/AV companies could figure out how to write this exploit, so there was really no defence for quitea long time. Custom Java compilers doing complex, cross platform, 100% reliable exploits For The Win!.

Pwnie for Best Privilege Escalation Bug

Award to the person who discovered and/or exploited the most technically sophisticated and interesting privilege escalation vulnerability. As more defense-in-depth systems like Mandatory Access Control and Virtualization are deployed, privilege escalation vulnerabilities are becoming more important. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.

  • Windows NT #GP Trap Handler (CVE-2010-0232 )

    Credit: Tavis Ormandy

    One of the most complicated vulnerabilities of 2010, this privilege escalation bug required more than a few tricks to exploit. Its discovery shows a rare understanding of some of the more obscure aspects of the Intel architecture. The bug was present in all versions of Windows from NT 3.1 all the way up to Windows 7.

  • Linux sock_sendpage NULL pointer dereference (CVE-2009-2692)

    Credit: Tavis Ormandy and Julien Tinnes

    In August 2009, Tavis and Julien discovered a very easily exploitable NULL pointer dereference bug that affected all Linux kernels since 2001. Their advisory led to highly reliable exploits for all popular architectures, including x86, x64, PPC and and ARM.

Pwnie for Most Innovative Research

Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.

  • Flash Pointer Inference and JIT Spraying

    Author: Dionysus Blazakis

    Dion presented two new techniques for defeating ASLR and DEP using the Flash AVM2 virtual machine and JIT engine. His work was novel and opened up a new direction in exploitation research.

  • English Shellcode

    Authors: Joshua Mason, Sam Small, Fabian Monrose, Greg MacManus

    This cool paper demonstrates a technique for automatically transforming shellcode into a representation that looks like English text.

  • Practical Windows XP/2003 Heap Exploitation

    Authors: John McDonald and Chris Vasalek

    This paper brings a depth of understanding to technical heap internals that has seldom been seen before. Impressive not only for showing brand new practical heap exploitation techniques, but also for raising the bar on the thoroughness of research methods.

  • Adobe Reader's Custom Memory Management: A Heap of Trouble

    Authors: Haifei Li, Guillaume Lovet

    This is a PDF-specific exploitation research focusing on the custom heap management on Adobe Reader. When Adobe Reader is processing a PDF file, in most allocation cases, it does not directly use the system's heap, but maintains its own heap management system on top of the system-level heap management system. This feature provides an easier and reliable way to leverage PDF heap-based vulnerabilities.

  • Zero-sized heap allocations vulnerability analysis

    Author: Julien Vanegue

    In his talk at Hackito Ergo Sum conference 2010, Julien Vanegue presents a semi-automated theorem proving based approach to source code security review using the HAVOC extended static checker , a heap-aware verifier for C programs developed at Microsoft Research. His simple experiment on a single critical property fixed about fifteen memory corruption bugs in various Windows software components. Zero allocations are not bugs per se but those are signs that something odd is going on as they are rarely intended. This analysis technique is relevant on all OS including many UNIX flavors as most user-land and kernel-land allocators are exposed. His presentation also includes an original perspective on near-zero allocation vulnerabilities, in particular when the effective heap allocation size and the size-holding variable are desynchronized.

  • Practical Padding Oracle Attacks

    Author: Juliano Rizzo, Thai Duong

    The padding oracle attack is a powerful crypto attack against CBC-mode encryption. By giving an oracle which on receipt of a ciphertext, decrypting it and then replying to the sender whether the padding is correct or not, it is possible to efficiently decrypt data without knowing the encryption key. In their research Juliano and Thai used this crypto attack to create a whole new set of practical web hacking techniques.

Lamest Vendor Response

Awarded to the vendor who mishandled a security vulnerability most spectacularly.

  • OpenCart CSRF vulnerability

    Vendor: OpenCart

    Congrats to Daniel Kerr for the EPIC mishandling of a CSRF vulnerability submitted by one of the users.

    On 2010-01-22, at 7:31 PM, Daniel Kerr wrote: This sort of thing is down to the client. The software on a clients computer is nothing to do with opencart! There is no way that I’m responsible for a client being stupid enough to click links in emails.

    Read more

  • SpringSource remote code execution vulnerability (CVE-2010-1622)

    Vendor: SpringSource, a division of VMware

    Most nominations for Lamest Vendor Response are a result of a vendor downplaying a vulnerability, but this particular case is different. In their advisory, SpringSource just casually announced their biggest security vulnerability ever as a "Critical" severity causing companies everywhere to go nuts patching and doing Emergency Releases. The vendor pretty much just said "Yeah remote code exec with 100% reliability on anybody running our shit, you should patch dude".

    What they DIDN'T mention is that this can only be exploited on a URL path that points to an uncompiled JSP, which is very rare. For any decently large website the window of vulnerability is extremely small or non-existent due to pre-compiled JSPs. This is all outlined in the original report by Meder Kydyraliev, who discovered the bug.

    It should be noted that, based on my quick inspection of the code, TldLocationsCache gets URLs from class loader only once upon it's initialization and thus, in order for an attack to work with Tomcat+Spring MVC combination, an attacker has to submit her request to overwrite class loader's URLs before any of the JSP pages have been requested, which makes this attack a lot harder to carry out.

  • Novell iManager vulnerabilities

    Vendor: Novell

    The CORE security team never fails to disappoint when it comes to lame vendor responses. Their interaction with the Novell iManager team regarding a buffer overflow and a DoS vulnerability can be summarized in one sentence: "No reply received"

    2010-06-02: Paula Gephart from the iManager team notifies she was out of town and the email's vacation rule has not worked for some reason. The iManager team also notifies that they would like to coordinate a release and they will re-establish the contact as soon as they can find an acceptable release mechanism.
    2010-06-02: Core notifies that, given the 2nd publication deadline for the advisory has already passed and the lack of an answer from the iManager team to the questions asked in the email sent in [2010-05-20], it is best (according to the Core's assessment on how to help users to reduce risk) to inform the vulnerable users about their risk and provide whatever mitigation or workarounds than to postpone disclosure to an uncertain future date. Core also notifies the advisory has already entered within the publication system and it would be hard to stop it, but it can be done if the iManager team provides the answers requested in the previous emails. Core notifies that will be waiting for this information until the end of the day and this deadline should be considered as final. No reply received.
    2010-06-02: The advisory CORE-2010-0316 is published.

    Read the entire timeline for more laughs.

  • LANRev remote code execution

    Vendor: Absolute Software

    The LANRev remote administration program gained a lot of publicity when it was used by the Lower Merion School District in Pennsylvania to spy on their students at home. Addiging fuel to the fire, Leviathan Security found out that the LANRev software had a vulnerability that allowed anybody on the local network to take full control of any computers running the LANRev software. The response from the software vendor was hilarious:

    “Is it theoretically possible [to exploit this]? Of course it is,” said Tim Parker, vice president of research and development for Absolute. “[But] we are not aware of any customer who ever had an issue with this. If any customer did express concern, we would immediately supply them with a patch.”

    Read more

Pwnie for Best Song

What kind of awards ceremony does not have an award for best song? There is strangely enough a long tradition of hacker-written songs and raps (parodies and originals). And in Pwnies past, we somehow coerced HD and Halvar to rap some of these. And rather then let it become anyone else's turn, we have a new rule. Nominations for 'Best Song' must actually have audio. For your listening pleasure, the nominees are:

  • The Game

    Dual Core

    Kick ass hip hop track from Dual Core about an Eastern European cyber criminal trying to feed his family. He turns to identity theft to survive in the failed economy and then finds out that the admin of the dark net he uses for trading is a CIA plant as other members of the forum start disappearing.

    His name is Victor an elite code scripter
    from a soviet satellite that is cold in the winter.
    Pack my own malware, write my own cryptors
    with more entropy than a Mersenne Twister
    evade anti-virus, IDS filters
    leave the scene cleaner than mops and a Swiffer

    Play sample

  • Blackhat Life

    trevelyn

    A day in the life of a blackhat:

    Through the switches and into your cubicle
    across the PBX and into your server room,
    I know every corporate security game.
    To get in, I social engineer my way
    forwarding traffic from every machine,
    this blackhat's got his eyes on everything!

    Play track

  • Security Rockstar

    The Hoff

    A cover of Nickleback's "Rockstar" with Hoff's (@beaker) rendition covering last year's Defcon

    ‘Cause we all just wanna be security rockstars
    Hacking parking meters,
    windows-powered smart cars
    The girls ain’t easy but the caffeine’s cheap
    We’ll all stay skinny, can’t afford to eat
    And we’ll hang out in the coolest bars
    moochin off those vendors
    and their sales whores
    Every good script kiddie
    Gonna wind up there
    No pretty people
    but we just wont care
    Hey hey I’ll be a security rockstar
    Hey hey I’ll be a security rockstar

    Play track, lyrics

  • Frame by Frame

    Cryptonomicon (Simple Nomad)

    This is an attempt to write a hacker metal song whose lyrics won't offend metal heads or hackers. Cryptonomicon is a studio-only "band" project by Simple Nomad, and this is (so far) the only hacker song, the others are your regular fucked up angst outings.

    trolling through the ether, crawling down the wires
    dredging through the sludge and the muck and the mire
    flipping all the switches, watching for the shock
    fingers on the keys and i'm ready to rock
    frame by frame
    i'm bringing up the slack
    i'm tearing up the stack
    i'm planning my attack
    frame by frame
    it's a godless birth
    time to lock and load
    and scorch the fucking earth

    Play track, lyrics

  • Pwned - 1337 edition

    Dr. Raid and Heavy Pennies

    you wont find shit...why is that?
    my shell code repairs the app's entire stack
    looking at your application and I'm salivatin'
    cuz you failed validation on sized allocations
    calibratin' for my address offsets
    your process just joined sophsec's botnet
    ... jack you by the IP octet
    and that goes for any kiddie that talks shit
    if I talked it I popped it
    code that I audit I found holes & locked it
    you couldn’t overflow the kitchen sink
    let me show you how it works
    (click click) click this link

    Play track

  • Payment Card Security

    by PCI Rock

    Pci has had a lot of criticism. Hopefully with this song we know it is a joke:

Pwnie for Most Epic FAIL

Sometimes giving 110% just makes your FAIL that much more epic. And what use would the Internet be if it wasn't there to document this FAIL for all time?

This award is to honor a person or company's spectacularly epic FAIL.

  • McAfee false positive bricks enterprise PCs worldwide

    McAfee releasing a signature file with a false positive in a core windows component has to be a candidate for epic fail, or Mass 0wnage depending on how you see it.

  • Netkairo - Mariposa Botnet

    The Mariposa botnet, at its peak, is believed to have had as many as 800,000 victims, before it was taken down starting in late 2009. It was also a blueprint for failure.

    Failure #1: The reason it was taken down is because the people behind it used real names when registering domains. This made it relatively easy for police to track down who was behind it.

    Failure #2: Once the takedown was in process, Netkario furiously tried to regain control of the botnet. In the process of doing this, he connected to the command and control server without using a VPN or proxy, revealing his actual IP. This made it even easier to track him down.

    Failure #3: Once being busted for operating this botnet, Netkario and others involved with Mariposa actually tried to get jobs with AV vendor Panda Security, becoming abusive towards them once Panda indicated that they weren't interested in employing them because of their histories.

  • Microsoft Internet Explorer 8 XSS filter

    Internet Explorer 8 was released with built in cross-site scripting filters which, for nearly a year after release, enabled cross-site scripting on otherwise secure sites. Ironic. Epic. Fail.

  • Unreal IRCD backdoored source tarball

    The backdoored source code of Unreal IRCD was not spotted for 7 months:

    We found out that the Unreal3.2.8.1.tar.gz file on our mirrors has been replaced quite a while ago with a version with a backdoor (trojan) in it. This backdoor allows a person to execute ANY command with the privileges of the user running the ircd. The backdoor can be executed regardless of any user restrictions (so even if you have passworded server or hub that doesn't allow any users in).

  • Infected USB drives handed out by IBM at the AusCERT conference

    IBM has admitted that the complimentary USB drives it handed out this week at the AusCERT conference on the Gold Coast, Queensland, were infected by not one, but two pieces of malware.

Calendar
Aug
3
The list of nominees is announced.
Aug
6
Awards ceremony at the BlackHat USA conference in Las Vegas.
Awards Ceremony
when 6:30pm, Wed, Aug 6th 2014
where Blackhat USA conference, Mandaley Bay, Las Vegas