Pwnie for Best Server-Side Bug

Awarded to the person who discovered the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.

• Apache Struts2 framework remote code execution (CVE-2010-1870)

  Credit: Meder Kydyraliev

  Do you use the Struts2 framework in your enterprise web application? Meder Kydyraliev discovered that an single HTTP request with just five special parameters is enough to execute arbitrary Java code on the webserver. Meder gets bonus points for having to track down developers on IRC to get the vulnerability fixed after receiving no response from security@struts.apache.org.

Pwnie for Best Client-Side Bug

Awarded to the person who discovered the most technically sophisticated and interesting client-side bug. These days, ‘client’ is pretty much synonymous with ‘web browser’, but don't forget about all the media player integer overflows!

• Java Trusted Method Chaining (CVE-2010-0840)

  Credit: Sami Koivu

  This exploit basically breaks the whole Java security model. It's more a demonstration of a new bug class than just one vulnerability. Apple patches Java three months after every new exploit comes out, and none of the IDS/AV companies could figure out how to write this exploit, so there was really no defence for quitea long time. Custom Java compilers doing complex, cross platform, 100% reliable exploits For The Win!.

Pwnie for Best Privilege Escalation Bug

Award to the person who discovered and/or exploited the most technically sophisticated and interesting privilege escalation vulnerability. As more defense-in-depth systems like Mandatory Access Control and Virtualization are deployed, privilege escalation vulnerabilities are becoming more important. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.

• Windows NT #GP Trap Handler (CVE-2010-0232 )

  Credit: Tavis Ormandy

  One of the most complicated vulnerabilities of 2010, this privilege escalation bug required more than a few tricks to exploit. Its discovery shows a rare understanding of some of the more obscure aspects of the Intel architecture. The bug was present in all versions of Windows from NT 3.1 all the way up to Windows 7.

Pwnie for Most Innovative Research

Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.

• Flash Pointer Inference and JIT Spraying

  Author: Dionysus Blazakis

  Dion presented two new techniques for defeating ASLR and DEP using the Flash AVM2 virtual machine and JIT engine. His work was novel and opened up a new direction in exploitation research.

Lamest Vendor Response

Awarded to the vendor who mishandled a security vulnerability most spectacularly.

• LANRev remote code execution

  Vendor: Absolute Software

  The LANRev remote administration program gained a lot of publicity when it was used by the Lower Merion School District in Pennsylvania to spy on their students at home. Addiging fuel to the fire, Leviathan Security found out that the LANRev software had a vulnerability that allowed anybody on the local network to take full control of any computers running the LANRev software. The response from the software vendor was hilarious:

  “Is it theoretically possible [to exploit this]? Of course it is,” said Tim Parker, vice president of research and development for Absolute. “[But] we are not aware of any customer who ever had an issue with this. If any customer did express concern, we would immediately supply them with a patch.”

  Read more

Pwnie for Best Song

What kind of awards ceremony does not have an award for best song? There is strangely enough a long tradition of hacker-written songs and raps (parodies and originals). And in Pwnies past, we somehow coerced HD and Halvar to rap some of these. And rather then let it become anyone else's turn, we have a new rule. Nominations for 'Best Song' must actually have audio. For your listening pleasure, the nominees are:

• Pwned - 1337 edition

  Dr. Raid and Heavy Pennies

  you wont find shit...why is that?
  my shell code repairs the app's entire stack
  looking at your application and I'm salivatin'
  cuz you failed validation on sized allocations
  calibratin' for my address offsets
  your process just joined sophsec's botnet
  ... jack you by the IP octet
  and that goes for any kiddie that talks shit
  if I talked it I popped it
  code that I audit I found holes & locked it
  you couldn’t overflow the kitchen sink
  let me show you how it works
  (click click) click this link

  Play track

Pwnie for Most Epic FAIL

Sometimes giving 110% just makes your FAIL that much more epic. And what use would the Internet be if it wasn't there to document this FAIL for all time?

This award is to honor a person or company's spectacularly epic FAIL.

• Microsoft Internet Explorer 8 XSS filter

  Internet Explorer 8 was released with built in cross-site scripting filters which, for nearly a year after release, enabled cross-site scripting on otherwise secure sites. Ironic. Epic. Fail.