Pwnie Awards 2015
Nominations for Pwnie Awards

The Pwnie Awards will accept nominations for bugs disclosed over the last year, from July 1, 2014 to June 30, 2015.

Nominations will be accepted until June 30. The top five nominees in each category will be announced on the website and the judges will gather at an undisclosed location to vote on the winners. The judges are of course disqualified from winning any Pwnie awards.

Pwnie for Best Server-Side Bug

Awarded to the person who discovered or exploited the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.

  • SAP LZC LZH Compression Multiple Vulnerabilities (CVE-2015-2278, CVE-2015-2282)

    Credit: Martin Gallo

    SAP products make use of a proprietary implementation of the Lempel-Ziv-Thomas (LZC) adaptive dictionary compression algorithm and the Lempel-Ziv-Huffman (LZH) compression algorithm. These compression algorithms are used across several SAP products and programs. Vulnerabilities were found in the decompression routines that could be triggered in different scenarios, and could lead to execution of arbitrary code and denial of service conditions. Basically a single bug that pwns almost ALL SAP products and services.

  • Clobberin' Time (CVE-2014-9293, CVE-2014-9295)

    Credit: Stephen Röttger and Neel Mehta

    A chain of bugs lead to RCE in ntpd through: broken source IP check for access control, weak default key in configuration interface, an infoleak, and then finally sweet, sweet buffer overflow.

  • Magento(CVE-2015-1397)

    Credit: Netanel Rubin

    Netanel took the most popular e-commerce platform in the world, holding 30% of the web's online shops, and ripped them a new one, with a vulnerability in Magento core, affecting default installations (or practically any installation) since 2009. The exploit itself is built on a cascade of vulnerabilities in Magento's reflection and dynamic code loading mechanisms (all discovered by Rubin), and concludes with the cunningly innovative detection dodging technique of running code using PHP's 'phar://' stream wrapper. The exploit, allowing silent unauthenticated remote code execution on hundreds of thousands of online shops, was dubbed "Shoplift", and awarded the maximum allowed bounty per the eBay (Magento owners) program - 20,000 USD, wreaking havoc in the e-commerce admin world. Recent Magento compromises may be attributed to these findings. On top of it all, the public disclosure and exploit were released on the day of Magento's annual developer conference.

Pwnie for Best Client-Side Bug

Awarded to the person who discovered or exploited the most technically sophisticated and interesting client-side bug.

  • Will it BLEND? (CVE-2015-0093, CVE-2015-3052)

    Credit: Mateusz ‘j00ru’ Jurczyk

    The "BLEND" opcode font bug was in a shared code base used both in Adobe Reader font renderer and Microsoft Windows Kernel (32-bit) font renderer. It allowed both to get code execution in Adobe Reader using a font embedded in a PDF file, and to later escape the sandbox and get SYSTEM rights by exploiting the exact same bug in the shared codebase in the Windows Kernel (ATMFD.DLL driver, part of Windows GDI).

  • Sandworm (CVE-2014-4114)

    Credit: Unknown

    The CVE-2014-4114 (a.k.a. the "Sandworm") zero-day attack was first disclosed by iSIGHT Partners in October 2014, it's believed to be used in Russian cyber-espionage campaigns targeting many sensitive organizations including the NATO. For the technical part, the most interesting point is that this is a logic bug (better considering it's a "feature", yeah!) in the "Packager" OLE object, which allows Office to perform context menu actions on embedded file object automatically. Since it's a logic bug, the exploit runs quite smoothly and reliably, even with effective exploitation mitigation tools such as EMET installed. All these have made the vulnerability become the premier choice for later exploit kits and cyber attacks that target Office. Another interesting point is that Microsoft failed to patch the bug (though they did stop the original exploit samples) in its initial fix MS14-060, the vulnerability was finally resolved in the 2nd fix MS14-064 with a new ID CVE-2014-6352 assigned.

  • It's ESET Up!

    Credit: Tavis Ormandy

    Tavis' ESET shadow stack vulnerability is a backhanded slap to the Slovakian AV vendor, highlighting the massive pwnage possible by exploiting security solutions. Not only did Tavis disclosed a remote code execution vulnerability 4 days after reporting, this one is in the signature engine, available in practically any ESET product, has a thousand remote vectors (email/network/usb/web), is cross-platform and OS independent, AND he released a CUSTOMIZABLE WORKING EXPLOIT with a makefile and worm payload. He let them have it. The vuln is pretty cool, too, manipulating the real ESP via a shadow emulated stack pointer. A truly epic one.

  • W3TotalFail

    Credit: Mazin Ahmed

    W3 Total Cache v0.9.4 is vulnerable to a critical Cross-Site Request Forgery issue. It occurs because of the invalidation of the CSRF token "_wpnonce". This CSRF issue can be used to perform many actions, but the most significant action that has the biggest impact on users is redirecting users to malicious websites. This can be happened by using the feature of specify particular user-agents to be redirected to mobile site. By crafting an exploit that forces the victim to change the policy feature's policy to redirect every user who visit the victim's website to be redirected to a specific website that is specified by the attacker. This can be done by adding all the common keywords that is used on user-agents.

Pwnie for Best Privilege Escalation Bug

Awarded to the person who discovered or exploited the most technically sophisticated and interesting privilege escalation vulnerability. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.

  • Rowhammer

    Credit: Mark Seaborn and Thomas Dullien

    Mark Seaborn and the little known "Thomas Dullien" bring us memory (DRAM) bit flips after repeated memory access causes electrical charges to cross DRAM cells. Working Linux exploits were produced to gain userland to kernel privs, and other OSes are suspected to work too. Vulnerable machine count and fix plan is still under evaluation.

  • PingPongRoot (CVE-2015-3636)

    Credit: memeda, wushi, idl3r, Qoobee

    KeenTeam has released a root privilege escalation exploit called pingpongroot, which roots Galaxy S6 and more coming soon. It exploits a use-after-free Linux kernel bug triggered via two connections over a ping socket. The exploit works on Android devices >= 4.3, including the latest 64bit Android devices and bypasses PXN kernel isolation. This work is being presented at Black Hat USA 2015 by Keen team member Wen Xu.

  • UEFI SMM Privilege Escalation

    Credit: Corey Kallenberg

    Firmware update code in the open source UEFI reference implementation was identified as containing several vulnerabilities last year. Successful exploitation resulted in the ability for a privileged ring 3 process to stage a payload in the context of the firmware and then invoke and exploit the vulnerable UEFI firmware update code. This userland (ring 3) to firmware/SMM ("ring -2") privilege escalation vulnerability is present on the majority of PC OEMs, affecting over 500+ *models* from HP alone. Other vendors have also issued patches for dozens of their models, and because the UEFI reference implementation is used as the starting point by many OEMs, many other vendors are known to be vulnerable that will probably never acknowledge it, or release patches. Work by Corey Kallenberg, Xeno Kovah, John Butterworth and Sam Cornwell.

  • Wild TTF Overflow

    Credit: @promised_lu and @zer0mem

    This win32k bug, still unpatched, resides in the TrueType Font code shipped with win8.1. Details regarding the exploitation technique and a high abstracted description of the bug were presented at recon this year, and the exploit was used to win at pwn2own 2015.

  • Will it BLEND? (CVE-2015-0093, CVE-2015-3052)

    Credit: Mateusz ‘j00ru’ Jurczyk

    The "BLEND" opcode font bug was in a shared code base used both in Adobe Reader font renderer and Microsoft Windows Kernel (32-bit) font renderer. It allowed both to get code execution in Adobe Reader using a font embedded in a PDF file, and to later escape the sandbox and get SYSTEM rights by exploiting the exact same bug in the shared codebase in the Windows Kernel (ATMFD.DLL driver, part of Windows GDI).

Pwnie for Most Innovative Research

Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.

  • ret2dir

    Credit: Vasileios P. Kemerlis, Michalis Polychronakis, and Angelos D. Keromytis

    ret2dir is a new kernel exploitation technique that uncovered how fundamental OS design practices and implementation decisions can significantly weaken the effectiveness of state-of-the-art kernel protection mechanisms.

    Return-to-user (ret2usr) attacks are the de-facto kernel exploitation technique in commodity OSes. In a ret2usr attack, kernel code or data pointers are overwritten with user-space addresses after exploiting certain memory corruption vulnerabilities in kernel code. This allows attackers to execute shellcode with kernel rights by hijacking a privileged control path and redirecting it to user space memory, easily circumventing protections like kernel ASLR and NX. In essence, ret2usr attacks take advantage of the weak separation of the kernel context from user space (i.e., kernel code and data are inaccessible from code running in user mode, but the kernel has complete and unrestricted access to the whole address space, including user code and data), as for performance reasons the kernel is typically mapped into the address space of every running process. In response to such attacks, several kernel-hardening approaches have been proposed to enforce a more strict address space separation, by preventing arbitrary control flow transfers and data accesses from kernel to user space. Intel and ARM recently introduced hardware support for this purpose in the form of the SMEP, SMAP, and PXN processor features.

    In their work, Kemerlis et al. showed that although mechanisms like the above prevent the explicit sharing of the virtual address space among user processes and the kernel, conditions of implicit sharing still exist due to fundamental OS design choices that trade stronger isolation for performance. They demonstrated how implicit data sharing can be leveraged for the complete circumvention of software and hardware kernel isolation protections, by introducing a new kernel exploitation technique, dubbed return-to-direct-mapped memory (ret2dir). ret2dir bypasses existing ret2usr protections, such as PaX's KERNEXEC and UDEREF, Intel's SMEP and SMAP, as well as ARM's PXN, by taking advantage of the kernel's direct-mapped physical memory region. They also presented techniques for constructing ret2dir exploits against x86, x86-64, AArch32, and AArch64 Linux targets that bypass all tested protection mechanisms (KERNEXEC, UDEREF, SMEP, SMAP, and PXN). Finally, to mitigate ret2dir attacks, they also discussed the design and implementation of an eXclusive Page Frame Ownership (XPFO) scheme for the Linux kernel that prevents the implicit sharing of physical memory pages.

  • Modern Platform-Supported Rootkits

    Credit: Rodrigo Branco and Gabriel Barbosa

    The presentation is innovative because it demonstrated the dangers of composed assumptions in Modern Computing Environment. The presenters uncovered lots of hidden functionalities in modern Intel architecture to prove their points. In the materials, they also released new techniques that makes it impossible for software to defend itself due to the decisions of the hardware and how to avoid such confusions in the future. They unveiled new ways for malware to protect themselves, splitting functionalities and ways to abuse platform capabilities to hook system properties. To finalize, they also expanded current understanding of computer caches to a new level, using software-only ways to create cache async and bypassing forensic tools (with demonstrable proof that previous research lacked).

  • Threatbutt Advanced Enterprise Platform

    Credit: ThreatButt

    The leading paper on threat intelligence and advanced cyber detection of cyber threaty threats.

  • Abusing Silent Mitigations

    Credit: Abdul-Aziz Hariri, Simon Zuckerbraun, Brian Gorenc

    In the summer of 2014, Microsoft silently introduced two new exploit mitigations into Internet Explorer with the goal of disrupting the threat landscape. These mitigations increase the complexity of successfully exploiting a use-after-free vulnerability. June's patch (MS14-035) introduced a separate heap, called Isolated Heap, which handles most of the DOM and supporting objects. July's patch (MS14-037) introduced a new strategy called MemoryProtection for freeing memory on the heap. This talk covers the evolution of the Isolated Heap and MemoryProtection mitigations, examines how they operate, and studies their weaknesses. It outlines techniques and steps an attacker must take to attack these mitigations to gain code execution on use-after-free vulnerabilities where possible. It describes how an attacker can use MemoryProtection as an oracle to determine the address at which a module will be loaded to bypass ASLR. Finally, additional recommended defenses are laid out to further harden Internet Explorer from these new attack vectors.

  • Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice

    Credit: David Adrian et al.

    This paper introduces the Logjam attack, a vulnerability that allows a man-in-the-middle attacker to downgrade TLS connections to 512-bit export-grade Diffie-Hellman and recover the session keys. It then goes on to make a convincing case that the NSA is already doing this for 1024-bit Diffie-Hellman. Although this would require an enormous investment in computing power (perhaps the biggest secret crypto project since WW II), it would allow them to passively eavesdrop on about half of encrypted VPN and SSH traffic. This explanation precisely fits the crypto breaks described in the Snowden leaks. This paper is a landmark result, in that it uncovers a major blindspot in the relation between crypto theory and security practice, introduces a novel TLS break that is practical to exploit today, and solves a major open question about government mass surveillance capabilities.

Pwnie for Lamest Vendor Response

Awarded to the vendor who mishandled a security vulnerability most spectacularly.

  • "A Peek Under The Blue Coat"

    Credit: BlueCoat

    The bluecoats are coming! The bluecoats are coming! ... for your talk.

    BlueCoat, the web proxy hardware of choice for silently intercepting and blocking SSL traffic, proved itself also quite capable at silently intercepting and blocking security research. Raphaël Rigo was to present his research on the internals of BlueCoat's ProxySG operating system at SyScan this year, but BlueCoat blocked it. Well-known CISOs became enraged and refused spending their budget on them while security researchers on Twitter reacted more diplomatically.

  • Seagate NAS RCE

    Credit: Seagate

    OJ Reeves found a multi-stage RCE vulnerability in Seagate NAS devices. That was the fun part, next came the actual work: notifying and managing disclosure with the vendor. Not surprisingly, it took real work. After the initial 100 days was close to running out, complaining on Twitter actually got someone to put him in contact with someone at Seagate who was interested in helping. OJ gave them another 30 days before publishing his advisory.

    Seagate's response was to immediately downplay the issue to journalists and make sure that no messy "facts" got in the way of their reporting of the vulnerability and demonstrate just how proactive they are about security.

  • Samsung Swift Keyboard MITM RCE

    Credit: Samsung

    NowSecure's Ryan Welton discovered that Samsung's pre-installed Swift keyboard had a itty-bitty, remote-code-execution-as-user-system vulnerability. Samsung asked for 1 year to fix it, and then 3 more months. Just for good measure, Ryan delayed disclosure by yet another 3 months. Hopefully Samsung is working on patching the 600M vulnerable devices all running carrier-dependent firmware images. In the meantime, users should disable or uninstall the pre-installed Swift keyboard. Oh wait, they can't. Security-conscious users should take precautions such as: not connecting to untrusted wifi networks or carrier cellular networks, disabling WiFi and cellular data, or just not using Samsung devices.

Pwnie for Most Overhyped Bug

Awarded to the person who discovered a bug resulting in the most hype on the Internets and in the traditional media. Extra points for bugs that turn out to be impossible to exploit in practice.

Pwnie for Best Song

What kind of awards ceremony does not have an award for best song?

  • "Try Harder!"

    Credit: Offensive Security

    This reggae/reggaeton track mixes smooth vibes with abrasive advertising and buzzwords to sell listeners on the qualifications of their staff and services.


  • "Integer Overflow"

    Credit: NYAN

    This is a song, sort of. Not-Your-Average-Nerd, NYAN returns with another hacker jam, this time describing his passion for a particular class of vulnerabilities.


  • "Clean Slate"

    Credit: YTCracker

    YTCracker brings the cheese with an 80s synth cyberpunk feel, telling a tale from the perspective of a hacker seeking a clean slate to escape his dark surroundings.


  • "Spierdalaj Kurwa"

    Credit: Acid Flux, Dariush Gee

    A nomination was put in for a third-party (non-security industry) track, which is fine, except that it was from 2011. This nomination has been replaced with the new 2015 album by The Prodigy.


Pwnie for Most Epic FAIL

Sometimes giving 110% just makes your FAIL that much more epic. And what use would the Internet be if it wasn't there to document this FAIL for all time? This award is to honor a person or company's spectacularly epic FAIL.

  • Oh, Please... Man!

    Credit: U.S. Office of Personnel Management

    Remember when you applied for that security clearance and you told a federal employee all the vile things you’ve ever done? Good news, now everyone knows. Wait that might not be good news. Regardless, the OPM let you and everyone else down. So much so, that the USA government might actually be pulling covert agents out of foreign countries. USA #1 (in awful federal data breaches).

  • We're Not Quite Sure

    Credit: Plus Bank

    All this shit is in Polish so we can't begin to understand the story or be troubled with using Google translate, but apparently a bank in Poland got popped and then pulled a 40 year old mid-life crisis move and denied everything regardless of the evidence against them. We almost have to tip our hat to anyone that can live a lie of that magnitude. Kudos Plus Bank!

  • Peepin' on the Creepin'


    As a group of people who have been cheating on their operating system for years (Dino really loves Windows Vista), the Ashley Madison hack hits close to home. The biggest plus side is that we’ve heard that all buildings below 101st street in Manhattan are being powered by divorce lawyers rubbing their hands together. It will be interesting when the first party links the OPM data with the Ashley Madison cheat list. Public Service announcement, if you’re going to cheat on your spouse please go old school and hook up with the pool boy.

    ProTip: Say that it wasn't you.

  • ManageEngine

    Credit: Zoho Corp.

    ManageEngine apparently is some IT software that someone finally decided to audit and they won vulnerability bingo. RCE, SQL injection, file downloads, information disclosures and just about every other type of vulnerability known to man. We’re just speculating but it appears that this software was designed as a reading comprehension test for The Art of Security Software Assessment. Unleash this Pokeball of vulnerabilities and collect them all!

  • Aviator

    Credit: WhiteHat Security

    WhiteHat security released their own web browser called ‘Aviator’, which we can only assume was named after movie starring Leonardo DeCaprio as Howard Hughes. Apparently, writing a secure web browser is hard (editor’s note: let’s go shopping) and it had quite a few weaknesses as pointed out by some no-names (Justin Who?) at Google. Secure by default is always hard, even when adopting the Chromium code base.

Lifetime Achievement Award

Most hackers have the personality of a supermodel who does discrete mathematics for fun. Like mathematicians, hackers get off on solving very obscure and difficult to even explain problems. Like models, hackers wear a lot of black, think they are more famous than they are, and their career effectively ends at age 30. Either way, upon entering one's third decade, it is time to put down the disassembler and consider a relaxing job in management.

This award is to honor the previous achievements of those who have moved on to bigger and better things such as management or owning (in the traditional sense) a coffee shop.

  • Ivan Arce

    Behind every hacker crew is their spirit leader, and Ivan Arce is Argentina's answer to this. Long time industry expert and co-founder of Core Security, Ivan has fostered a generation of hackers and security professionals. He has been an industry driving force since the late 90's, and continues to usher in the next generation of offense-oriented experts and technology.

  • Gera Richarte

    If Ivan is Argentina's hacker spirit leader, Gera is the truth teller. Gera has been demonstrating fact from fiction in exploit development circles since the late 90's, and continues to lead the technical community.

  • Wu Shi

    Shanghai-based researcher Wu Shi has been setting the bug bounty payday standard since the concept was invented. His work in browser exploitation, phone hacking, and vulnerability research has lead to the Keen team winning at pwn2own for 3 consecutive years and he continues to share results at conferences such as this one here, now.

  • Halvar Flake

    His LinkedIn title reads "staff engineer" which is typical underplayed Halvar. We can't even begin to list his achievements and industry input here. Google him, and not just because they bought him.

  • Rolf Rolles

    Long time reverse engineer, anti-software protection/deobfuscation expert, and Halvar protegee Rolf Rolles has been cranking out research papers and leading efforts in RE circles for over a decade. Rolf was the primary engineer behind BinDiff and VxClass, the products that led to Google's acquisition of Zynamics in 2011. Rolf is also the creator and moderator of the Reverse Engineering Reddit and has a track history of sharing his knowledge and results with the community as an author and teacher.

Pwnie for Epic 0wnage

0wnage, measured in owws, can be delivered in mass quantities to a single organization or distributed across the wider Internet population. The Epic 0wnage award goes to the hackers responsible for delivering the most damaging, widely publicized, or hilarious 0wnage. This award can also be awarded to the researcher responsible for disclosing the vulnerability or exploit that resulted in delivering the most owws across the Internet.

  • Kaspersky Lab

    Credit: Duqu 2.0

    If everyone else sees Chinese hackers everywhere, Kaspersky Lab sees Duqu everywhere, even on their own network. Kaspersky has attributed the attack and malware to "The Letters Gang", so named for their predilection for using the alphabet to form words.

  • Hacking Team

    Credit: Maybe China

    That's a spicy mal-a-ware! Hacker Daytime Television (also known as Twitter) hasn't been this good in years.

  • U.S. Office of Personnel Management

    Credit: Probably China

    Anyone who thinks that the details of the personal lives of millions of federal workers are even remotely interesting has clearly never worked with any of them. So, it was probably China, who will have to setup thousands of specialized "OPM dens" to painstakingly read through all of them.

  • The World

    Credit: Definitely China

    After being blamed for being behind a cyberattack every time that some elderly computer user can't print out an e-mail, China now has to actually hack everything everywhere just in order to live up to everyone's expectations of them. They are the real victim here.

  • Samsung Swiftkey Keyboard Bugdoor

    Credit: Samsung

    This is a non-memory corrupting RCE. It required no user interaction and was possible by any attacker in a position to perform MITM attack. No authentication at all. Vulnerable devices include basically every Samsung device made from the past ~2.5 years, including current flagships. This was discovered in 2014, but gave the vendor lots of time to fix it due to the high number of affected users and severity. It was discovered and publicly disclosed by Ryan Welton at BlackHat London, 2015.

    This nomination, however, goes to Samsung for backdooring their entire user population with a remotely exploitable, highly privileged, logic vulnerability that yields remote code execution. Bra-VO!

2016 Nominations open.
Awards ceremony at the BlackHat USA conference in Las Vegas.
Awards Ceremony
when Wed, Aug 3rd 2016
where BlackHat USA 2016, Mandalay Bay, Las Vegas