Winners of Pwnie Awards 2010
Pwnie for Best Server-Side Bug
Awarded to the person who discovered the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.
Apache Struts2 framework remote code execution (CVE-2010-1870)
Do you use the Struts2 framework in your enterprise web application? Meder Kydyraliev discovered that an single HTTP request with just five special parameters is enough to execute arbitrary Java code on the webserver. Meder gets bonus points for having to track down developers on IRC to get the vulnerability fixed after receiving no response from email@example.com.
Pwnie for Best Client-Side Bug
Awarded to the person who discovered the most technically sophisticated and interesting client-side bug. These days, ‘client’ is pretty much synonymous with ‘web browser’, but don't forget about all the media player integer overflows!
Java Trusted Method Chaining (CVE-2010-0840)
This exploit basically breaks the whole Java security model. It's more a demonstration of a new bug class than just one vulnerability. Apple patches Java three months after every new exploit comes out, and none of the IDS/AV companies could figure out how to write this exploit, so there was really no defence for quitea long time. Custom Java compilers doing complex, cross platform, 100% reliable exploits For The Win!.
Pwnie for Best Privilege Escalation Bug
Award to the person who discovered and/or exploited the most technically sophisticated and interesting privilege escalation vulnerability. As more defense-in-depth systems like Mandatory Access Control and Virtualization are deployed, privilege escalation vulnerabilities are becoming more important. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.
Windows NT #GP Trap Handler (CVE-2010-0232 )
One of the most complicated vulnerabilities of 2010, this privilege escalation bug required more than a few tricks to exploit. Its discovery shows a rare understanding of some of the more obscure aspects of the Intel architecture. The bug was present in all versions of Windows from NT 3.1 all the way up to Windows 7.
Pwnie for Most Innovative Research
Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.
Flash Pointer Inference and JIT Spraying
Dion presented two new techniques for defeating ASLR and DEP using the Flash AVM2 virtual machine and JIT engine. His work was novel and opened up a new direction in exploitation research.
Lamest Vendor Response
Awarded to the vendor who mishandled a security vulnerability most spectacularly.
LANRev remote code execution
The LANRev remote administration program gained a lot of publicity when it was used by the Lower Merion School District in Pennsylvania to spy on their students at home. Addiging fuel to the fire, Leviathan Security found out that the LANRev software had a vulnerability that allowed anybody on the local network to take full control of any computers running the LANRev software. The response from the software vendor was hilarious:
“Is it theoretically possible [to exploit this]? Of course it is,” said Tim Parker, vice president of research and development for Absolute. “[But] we are not aware of any customer who ever had an issue with this. If any customer did express concern, we would immediately supply them with a patch.”
Pwnie for Best Song
What kind of awards ceremony does not have an award for best song? There is strangely enough a long tradition of hacker-written songs and raps (parodies and originals). And in Pwnies past, we somehow coerced HD and Halvar to rap some of these. And rather then let it become anyone else's turn, we have a new rule. Nominations for 'Best Song' must actually have audio. For your listening pleasure, the nominees are:
Pwned - 1337 edition
you wont find shit...why is that?
my shell code repairs the app's entire stack
looking at your application and I'm salivatin'
cuz you failed validation on sized allocations
calibratin' for my address offsets
your process just joined sophsec's botnet
... jack you by the IP octet
and that goes for any kiddie that talks shit
if I talked it I popped it
code that I audit I found holes & locked it
you couldn’t overflow the kitchen sink
let me show you how it works
(click click) click this link
Pwnie for Most Epic FAIL
Sometimes giving 110% just makes your FAIL that much more epic. And what use would the Internet be if it wasn't there to document this FAIL for all time?
This award is to honor a person or company's spectacularly epic FAIL.
Microsoft Internet Explorer 8 XSS filter
Internet Explorer 8 was released with built in cross-site scripting filters which, for nearly a year after release, enabled cross-site scripting on otherwise secure sites. Ironic. Epic. Fail.