Nominations for Pwnie Awards 2014
Pwnie for Best Server-Side Bug
Awarded to the person who discovered or exploited the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.
Abusing JSONP with Rosetta Flash (CVE-2014-4671)
Universal Same Origin Bypass in all websites implemeting JSONP through a crafted printable-ASCII only Shockwave Flash file.
The Heartbleed vulnerability was unleashed in April this year, starting a trend of giving vulnerabilities names, websites and logos. It was also a cool bug. This bug had a significant impact to both Yahoo! webmail users and any firm using Amazon's Elastic Load Balancers (ELBs). For almost a full day, anyone visting the Yahoo! webmail application or an ELB-backed cloud service was at risk of having thier cleartext credentials exposed. Yahoo! approached this problem by forcing password resets. The other 10,000+ companies using ELB likely did not.
Who needs DROPMIRE, FEEDTROUGH, or a state intelligence agency budget to backdoor production servers when over 250,000 servers expose their IPMI interface to the internet, with an innumerable number of internally exposed servers, including products from vendors such as IBM, Dell, HP, and Supermicro. Ironically, Dan Farmer started his dismemberment of the IPMI specification as part of a DARPA Cyber Fast Track (CFT) project in 2012, but his original publication in 2013 was generally overlooked, and it wasn't until internet-wide scans confirmed what he suspected; hundreds of thousands of servers, which could otherwise be secure, were exposing their IPMI out-of-band management interface to the world. This kicked off a feeding frenzy of vulnerability research, leading to the discovery of numerous additional vulnerabilities in specific vendor implementations of the IPMI protocol.
Supermicro was by far the most exposed, with over 30,000 systems trivallly rootable, via a vulnerable UPnP library, numerous stack overflows in their web interface, and exposure of the clear-text administrative password of the device through a publicly accessible URL. IPMI, as both a standard and a typical implementation, has effectively become a persistent hardware backdoor across millions of deployed systems. The older version of the remote protocol (1.5) supports "null" authentication, while a large portion of new implementations (2.0) support "Cipher Zero", which also provides unauthenticated access as the user of your choice. Finally, baked into the IPMI protocol specification itself is an authentication protocol that will send you the unsalted MD5 hash of a given user's password during the challenge response phase. Although Dan was not responsible for all of the results, he certainly deserves credit for identifying design-level vulnerabilities in a commonly deployed out-of-band management interface, and jumpstarting efforts from a half-dozen other researchers. His latest research, "Sold Down the River" estimates that over 90% of exposed IPMI interfaces could be compromised through known protocol weaknesses and misconfigurations alone. IPMI is dead. Long live IPMI (exploits).
The /dev/ttyS0 blog has been a source of both amusement and horror since it was established, documenting the ridiculously insecure interfaces that control consumer networking products. Craig has taken device manufacturers to task for repeatedly adding backdoors to their products and deploying abominably insecure code across a wide variety of products. In many ways, Craig is responsible for shining a light on how abysmal the security of these products are today and the anemic measures taken by the vendors to address his findings. Read the blog, laugh, cry, pwn some random D-Link DSP-W215 power outlets, and watch the world burn.
Pwnie for Best Client-Side Bug
Awarded to the person who discovered or exploited the most technically sophisticated and interesting client-side bug.
Google Chrome Arbitrary Memory Read Write Vulnerability (CVE-2014-1705)
Geohot won the Pwnium contest by chaining together four vulnerabilities, starting with a logic flaw in Chrome that let him read and write arbitrary memory.
The Heartbleed vulnerability was primarily a server flaw, but it also affected SSL clients, many of which will probably never be patched.
Pwn4Fun Safari vulnerability (CVE-2014-1300)
Ian Beer entereted the pwn4fun contest at CanSecWest with a Safari exploit demonstrating some cool heap overflow exploitation techniques.
Goto Fail (CVE-2014-1266)
Contrary to popular belief, two gotos are not always better than one. In some cases, they may overflow the Internet goto buffer and wrap around the value of the goto such that it disables TLS. Oops.
Pwnie for Best Privilege Escalation Bug
Awarded to the person who discovered or exploited the most technically sophisticated and interesting privilege escalation vulnerability. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.
AFD.sys Dangling Pointer Vulnerability (CVE-2014-1767)
Filling in this year for win32k.sys, AFD.sys helped Sebastian win pwn2own 2014. This exploit is a great example of using a kernel exploit to escape the Internet Explorer 11 sandbox on Windows 8.1.
VirtualBox VM Breakout using 3D Acceleration (CVE-2014-0981)
Oracle’s VirtualBox allows guest virtual machines to perform quick 3D operations. Francisco found several vulnerabilities in this interface and exploited them to escape from the guest virtual machine into the host.
Linux Futex Bug (CVE-2014-3153)
How epic can a bug be if it is found by comex and then exploited by geohot? This exploited the Linux kernel to get root on the Samsung Galexy S5 and many Linux distributions.
evasi0n iOS 7.0 jailbreak
For the second year in a row, the evad3rs team gets a Pwnie nomination for exploiting Apple iOS. This time they chained together at least 4 exploits, to defeat code signing and exploit the iOS kernel.
Pangu iOS 7.1 Jailbreak
What's more exciting than one iOS jailbreak? Two iOS jailbreaks. A new team hit the jailbreak scene in 2014 with a jailbreak for Apple iOS 7.1. Tracing the origin of the bugs is difficult, because Stefan Esser claimed that parts of the jailbreak were taken from his iOS training class, and who knows who else had the same bugs. The lesson is something hackers should have learned years ago: if you disclose your bugs even to a single person they probably going to be leaked.
Pwnie for Most Innovative Research
Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.
Hardware-assisted Memory Corruptions
Ralf explored the exploitability of hardware bug conditions, specifically ARM errata, that may be triggerable by software and lead to memory corruption. His work shed light on a whole new area not too many have been considering before and could have major implications further down the road.
Bypassing Windows 8.1 Mitigations using Unsafe COM Objects
James Forshaw demonstrated a new technique for exploiting memory corruption where the only value you could write is the number 0. His research overcame existing exploitation mitigations and was led to him winning the first Microsoft Mitigation Bypass bounty.
RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis
In this fascinating paper, the authors describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG's current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. They experimentally demonstrated that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away.
Windows 8 UEFI Secure Boot Bypasses
The researchers presented a blind ROP technique for exploiting remote stack overflow vulnerabilities and bypassing both ASLR and NX without having access to the target binary. While not a particulalry novel idea, their implementation was impressive.
Pwnie for Lamest Vendor Response
Awarded to the vendor who mishandled a security vulnerability most spectacularly.
This is probably not the best way to respond to a security researcher:
"I tried to be polite in reporting the issue, firstly using your contact form and then (seeing I haven't received any reply) using your community forum. I just asked for an email address where to send the vulnerability's details,"
it was not ignored dick head why lie! are you a professional or not? professionals don't need to lie to prove a point they use facts!
To report vulnerabilities in FireEye products, please email security[at]FireEye.com. Uhh, Ouch.
AVG Remote Administration Insecure "By Design"
Declaring reported security weaknesses "by design" is so much less work than actually fixing them. Hey, anybody want to get some fro-yo?
Faulty Ignition Switch
Wikipedia When an issue is handled well, the CEO is rarely dragged before Congress and told by a Senator that, "You don't know anything about anything."
Why is this being nominated for a Pwnie? Because like it or not, cars are running increasingly more complex software and can now get hacked remotely. Welcome to the "Internet of Explodey Things".
Pwnie for Best Song
What kind of awards ceremony does not have an award for best song?
Pwnie for Most Epic FAIL
Sometimes giving 110% just makes your FAIL that much more epic. And what use would the Internet be if it wasn't there to document this FAIL for all time? This award is to honor a person or company's spectacularly epic FAIL.
We don't take kindly to "Pwnie Bait" vulnerabilities that have been introduced and named just to earn the coveted Epic FAIL Pwnie, but we'll let this one slide, Apple.
Eric S. Raymond's "The Cathedral and the Bazaar" contained what has become known as Linus' Law: "Given enough eyeballs, all bugs are shallow." Every Psychology 101 textbook, however, also describes The Bystander Effect, or Diffusion of Responsibility whereby a person is less likely to take responsibility for action or inaction when others are present. Heartbleed faught Linus' Law and Heartbleed won.
FireEye detected it, 24x7 outsourced information security monitoring saw alert and notified Target's SOC, who promptly... hey, anybody want to get some fro-yo?
ISC2 Optional Membership Fee
The (ISC)^2 website had a vulnerability where one could submit a negative amount for their membership fees and get it for free. If anyone knows any information security professionals, can you ask them to give this non-profit some pro-bono help?
Pwnie for Epic 0wnage
0wnage, measured in owws, can be delivered in mass quantities to a single organization or distributed across the wider Internet population. The Epic 0wnage award goes to the hackers responsible for delivering the most damaging, widely publicized, or hilarious 0wnage. This award can also be awarded to the researcher responsible for disclosing the vulnerability or exploit that resulted in delivering the most owws across the Internet.
You may have heard of this vulnerability called heartbleed. It affected over 500,000 servers on the internet. It also made half of the internet change their passwords. There is even a website that gives you bytes of memory from random servers on the Internet. Heartbleed also had the largest advertising budget of any Pwnie nomination this year.
Largest credit card breach in history. Owww.
Their parting words of wisdom:
“Please don’t store Bitcoins on an internet connected device, regardless of [if] it is your own or a service’s.”
The world's largest bitcoin exchange pumps up the price of BTC well above competing exchanges, stops allowing cash withdrawals, blocks bitcoin withdrawals, and finally comes crashing down claiming that they were hacked. All of this from an ex-pat CEO living in Japan who was convicted of crimes in his home country in absentia. Hundreds of millions of dollars went missing and all blockchain analysis points to Mr. Karpelès either being the dumbest developer in the history of mankind or complicit in the theft of Mt. Gox user's funds.