Nominations for Pwnie Awards 2013
Pwnie for Best Server-Side Bug
Awarded to the person who discovered or exploited the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.
Ruby on Rails YAML (CVE-2013-0156)
While lots and lots of Ruby libraries like YAML, Ruby on Rails likes it the most. This vulnerability leads to remote SQL injection and arbitrary Ruby code execution on the server, bringing down a variety of Ruby on Rails web sites.
Cryptographic flaws in the Oracle Database authentication protocol (CVE-2012-3137)
Esteban has found the only thing better than brute forcing database passwords online, brute forcing them offline with super fast GPUs without leaving a trail of failed attempts in the server logs.
SAPRouter Remote Heap Overflow
SAProuter is an application which is to the Internet for providing updates to the corporate SAP systems and for connecting to different office locations and subcontractor systems. Almost every third company exposes this service at the default port 3299. This is a very small application which simply routes packets, but it contains multiple exploitable heap overflows, compromising many large enterprises.
Asterisk Stack Overflow (CVE-2012-5976)
Last November, drraid demonstrated the exploitation of a server-side bug in Asterisk, which really liked putting HTTP request buffers all over its stack. He used multiple threads to disclose memory and control EIP despite the PIE ASLR protections in the Linux kernel.
Not to be outdone by Asterisk, nginx wanted to overflow with HTTP headers too. And if one overflow was not enough, a second exploitable variant was found and patched shortly after the first.
Pwnie for Best Client-Side Bug
Awarded to the person who discovered or exploited the most technically sophisticated and interesting client-side bug.
WebKit SVGElement Type Confusion (CVE-2013-0912)
Use-after-free bugs in web browsers are so 2012. At CanSecWest, Nils and Jon used their SVG type confusion exploit as their first step into owning Chrome. In addition to using the vulnerability for code execution, they used it to leak out all of chrome.dll to search for ROP gadgets because Chrome updates every few days, especially right before Pwn2Own.
Adobe Flash Player RegExp Overflow (CVE-2013-0634)
Microsoft Internet Explorer VML (CVE-2013-2551)
At CanSecWest last March, VUPEN dropped their exploit for an integer overflow in array resizing of a Vector Markup Language (VML) element property. Do not be fooled by the version of this exploit in Metasploit that uses heap sprays and Java to bypass DEP and ASLR. VUPEN's exploit needed neither before gaining code execution in IE10 on Windows 8.
Adobe Reader Buffer Overflow and Sandbox Escape (CVE-2013-0641)
Just in time for last Valentine's day, FireEye found a sophisticated PDF attack in the wild that exploited Adobe Reader and escaped its sandbox. This exploit wanted to show its love for clipboard buffer lengths all in a pure-ROP payload.
Pwnie for Best Privilege Escalation Bug
Awarded to the person who discovered or exploited the most technically sophisticated and interesting privilege escalation vulnerability. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.
Linux kernel perf_swevents_init (CVE-2013-2094)
win32k.sys EPATHOBJ::pprFlattenRec uninitialized pointer (CVE-2013-3660)
No privilege escalation nomination list would be complete without at least one entry from win32k.sys . This year Tavis provides a great example of a subtle bug that works on Windows XP through Windows 8.
According to statistics in February, the evasi0n exploit works for at least 5 million people every time they boot their iPhone. It bypasses code signing by interposing with an incomplete codesign bug in the dynamic loader. It bypasses user space ASLR by using the dynamic linker. It exploits an untrusted pointer in the kernel with some help from a heap info leak, the ARM data abort interrupt handler and some techniques by Tarjei Mandt by Mark Dowd.
Motorola TrustZone array OOB write (CVE-2013-3051)
Dan Rosenberg exploited a bug in Motorola's TrustZone kernel on all of Motorola's Qualcomm-based Android devices allowing their boot-loaders to be irreversibly unlocked.
Pwnie for Most Innovative Research
Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.
Juliano and Thai broke the Internet third time in a row and all they got was one little pony? CRIME should pay them something, if not for the below reasons, then just for the sake of coming up with cool names.
Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns
The research consisted of two major parts: employing CPU-level OS instrumentation to locate potential double fetch vulnerabilities in the kernels of different operating systems, and discovering and testing practical means of exploiting such memory-bound race conditions in practical scenarios. Not only the topic is interesting, but bochspwn was used to find at least 37 vulnerabilities in windows kernel / drivers (plus some minor system crashes).
Leaking Addresses with Vulnerabilities that Cant Read Good
Paul @pa_kt presented a new kind of timing attack to bypass browser ASLR in Firefox without using an information disclosure vulnerability or another direct memory read primitive. Paul's technique is based on the observation that user-controlled elements and address space information (such as pointers), when stored in a shared container without a constant lookup time, can be abused to infer the value of such pointers without directly reading their values. Paul's presentation was bundled with Dion Blazakis GC woah technique at Summercon, whose graphics are too embarassing to describe as part of this nomination. Dion showed that Garbage Collectors can sometimes be confused about when to mark pointers for release and can be abused for side-channel attacks against ASLR.
Page Fault Liberation Army
Sergey Bratus and Julian Bangert managed to build a Turing-complete virtual machine out of the X86's MMU, demoed by Conway's Game of Life with *ZERO* native instructions. All computation is performed by either a single-fault or double-fault in the MMU.
Practical Timing Side Channel Attacks Against Kernel Space ASLR
The authors presented an innovative technique for defeating kernel ASLR, using a generic side channel attack against the memory management system to deduce information about the privileged address space layout.
Pwnie for Best Song
What kind of awards ceremony does not have an award for best song?
SSH to Your Heart
Laser sounds, funny lyrics, and a catchy tune make a great Best Song nomination. The Judges would also like to point out that this nomination's chances of winning are greatly increased by Snubsie showing up to the Pwnie Awards ceremony.
Another highly-technical track from Not Your Average Nerd.
Finally, a nomination that's not rap! Maybe next year we'll get one that also isn't a cover. We gotta keep raising that bar.
All the Things
Something tells me that this song's chorus will be quite popular in Vegas this year...
WatchGuard's Security Shop
This nomination's chances of winning can be increased by having those two guys wearing those awesome threads from their video to the Pwnie Awards ceremony. Just saying'.
Pwnie for Most Epic FAIL
Sometimes giving 110% just makes your FAIL that much more epic. And what use would the Internet be if it wasn't there to document this FAIL for all time? This award is to honor a person or company's spectacularly epic FAIL.
Cryptographic failures in CryptoCat
Go home, cryptocat, you are drunk. Steve Thomas wrote decryptocat and destroyed just about two years of Cryptocat's crypto. It turns out that writing crypto safely is hard, let's all go write anti-virus products instead.
Isn't Anti-Virus supposed to improve your security not make it worse? Tavis showed that Sophos is clearly doing it wrong by demonstrating a large number of vulnerabilities in Sophos, including a pre-authentication remote root bug!
Andorid "Master Key" Vulnerability
Despite the excessive hype surrounding the Android application signature flaw, the bug affected 99% of Android devices and allowed attackers to backdoor apps without invalidating their signature. Luckily, there hasn't been any signs of malicious Android apps in the wild. Oh wait.
U.S. Govt Destroys $170k worth of Hardware in Hunt for Non-Existant Malware
Someone said, "all of the mice in this building are infected with bugs" and somehow the Economic Development Administration (EDA) thought they meant computer mice and proceeded to destroy all of them. We, however, find this method to be quite labor-intensive and just recommend burning the entire building down. It's faster, safer, and cheaper.
Nmap: The Internet Considered Harmful - DARPA Inference Checking Kludge Scanning
Quoting from the artile published in Hackin9 magazine: "The concept of autonomous methodologies has been studied before in the literature . Next, the well-known framework by David Johnson et al. does not store Smalltalk as well as our method. Further, Wilson and Zhao  originally articulated the need for the understanding of linked lists. It remains to be seen how valuable this research is to the software engineering community. Ultimately, the methodology of R. Zhao et al. is a theoretical choice for the exploration of super-pages. Our design avoids this overhead."
We couldn't have said it better.
Pwnie for Epic 0wnage
0wnage, measured in owws, can be delivered in mass quantities to a single organization or distributed across the wider Internet population. The Epic 0wnage award goes to the hackers responsible for delivering the most damaging, widely publicized, or hilarious 0wnage. This award can also be awarded to the researcher responsible for disclosing the vulnerability or exploit that resulted in delivering the most owws across the Internet.
Internet Census 2012
The anonymous researcher built a botnet out of one hundred thousand home routers and used it repeatedly portscan the entire Internet, including a full service scan. They released a full paper about it and 10TB of data from the port scans.
Cyber Fast Track
Mudge hacked the government! He opened up DARPA funding to hackers, allowing talented people to be paid government money to do groundbreaking research and keep their own IP. It also showed people used to the capabilities of the defense industrial base what real security experts could do, drastically changing what they expected of all researchers they funded afterwards. Over 100 projects were funded, and the results of many of them were subsequently released publicly.
APT1 pwnage by malware.lu
After Mandiant published their report on the APT1 group, malware.lu upstaged them by owning C&C infrastructure of APT1. They scanned for Poison Ivy C&Cs, developed a custom John the Ripper extension specifically for Poison Ivy's encryption algorithm, exploited a (known) buffer overflow in the C&C to gain access to all the C&Cs they found, revised the Metasploit module for it to improve the remote exploit so that it could accept a non-default connectback password, wrote a great deal of custom shellcode from scratch to properly hide their presence, discovered a brand new homemade RAT on one of the servers, reversed it to bruteforce its password, wrote a scanner to find C&C servers running it, discovered and wrote an exploit for a RCE buffer overflow vulnerability they found in that, and wrote a Metasploit module for it...
Edward Snowden's leak of NSA secrets was an epic example of the insider threat to information security, while his revalations convinced many that the entire Internet is thoroughly and epicly owned!