Pwnie Awards 2014
Nominations for Pwnie Awards

The Pwnie Awards will accept nominations for bugs disclosed over the last year, from July 1, 2013 to June 30, 2014.

Nominations will be accepted until July 6. The top five nominees in each category will be announced on the website and the judges will gather at an undisclosed location to vote on the winners. The judges are of course disqualified from winning any Pwnie awards.

Pwnie for Best Server-Side Bug

Awarded to the person who discovered or exploited the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.

  • Abusing JSONP with Rosetta Flash (CVE-2014-4671)

    Credit: Michele Spagnuolo

    Universal Same Origin Bypass in all websites implemeting JSONP through a crafted printable-ASCII only Shockwave Flash file.

  • Heartbleed (CVE-2014-0160)

    Credit: Neel Mehta and Codenomicon

    The Heartbleed vulnerability was unleashed in April this year, starting a trend of giving vulnerabilities names, websites and logos. It was also a cool bug. This bug had a significant impact to both Yahoo! webmail users and any firm using Amazon's Elastic Load Balancers (ELBs). For almost a full day, anyone visting the Yahoo! webmail application or an ELB-backed cloud service was at risk of having thier cleartext credentials exposed. Yahoo! approached this problem by forcing password resets. The other 10,000+ companies using ELB likely did not.

  • IPMI: Sold Down the River

    Credit: Dan Farmer

    Who needs DROPMIRE, FEEDTROUGH, or a state intelligence agency budget to backdoor production servers when over 250,000 servers expose their IPMI interface to the internet, with an innumerable number of internally exposed servers, including products from vendors such as IBM, Dell, HP, and Supermicro. Ironically, Dan Farmer started his dismemberment of the IPMI specification as part of a DARPA Cyber Fast Track (CFT) project in 2012, but his original publication in 2013 was generally overlooked, and it wasn't until internet-wide scans confirmed what he suspected; hundreds of thousands of servers, which could otherwise be secure, were exposing their IPMI out-of-band management interface to the world. This kicked off a feeding frenzy of vulnerability research, leading to the discovery of numerous additional vulnerabilities in specific vendor implementations of the IPMI protocol.

    Supermicro was by far the most exposed, with over 30,000 systems trivallly rootable, via a vulnerable UPnP library, numerous stack overflows in their web interface, and exposure of the clear-text administrative password of the device through a publicly accessible URL. IPMI, as both a standard and a typical implementation, has effectively become a persistent hardware backdoor across millions of deployed systems. The older version of the remote protocol (1.5) supports "null" authentication, while a large portion of new implementations (2.0) support "Cipher Zero", which also provides unauthenticated access as the user of your choice. Finally, baked into the IPMI protocol specification itself is an authentication protocol that will send you the unsalted MD5 hash of a given user's password during the challenge response phase. Although Dan was not responsible for all of the results, he certainly deserves credit for identifying design-level vulnerabilities in a commonly deployed out-of-band management interface, and jumpstarting efforts from a half-dozen other researchers. His latest research, "Sold Down the River" estimates that over 90% of exposed IPMI interfaces could be compromised through known protocol weaknesses and misconfigurations alone. IPMI is dead. Long live IPMI (exploits).

  • Embedded Device Hacking

    Credit: Craig Heffner

    The /dev/ttyS0 blog has been a source of both amusement and horror since it was established, documenting the ridiculously insecure interfaces that control consumer networking products. Craig has taken device manufacturers to task for repeatedly adding backdoors to their products and deploying abominably insecure code across a wide variety of products. In many ways, Craig is responsible for shining a light on how abysmal the security of these products are today and the anemic measures taken by the vendors to address his findings. Read the blog, laugh, cry, pwn some random D-Link DSP-W215 power outlets, and watch the world burn.

Pwnie for Best Client-Side Bug

Awarded to the person who discovered or exploited the most technically sophisticated and interesting client-side bug.

  • Google Chrome Arbitrary Memory Read Write Vulnerability (CVE-2014-1705)

    Credit: Geohot

    Geohot won the Pwnium contest by chaining together four vulnerabilities, starting with a logic flaw in Chrome that let him read and write arbitrary memory.

  • Heartbleed (CVE-2014-0160)

    Credit: Neel Mehta and Codenomicon

    The Heartbleed vulnerability was primarily a server flaw, but it also affected SSL clients, many of which will probably never be patched.

  • Pwn4Fun Safari vulnerability (CVE-2014-1300)

    Credit: Ian Beer

    Ian Beer entereted the pwn4fun contest at CanSecWest with a Safari exploit demonstrating some cool heap overflow exploitation techniques.

  • Goto Fail (CVE-2014-1266)

    Credit: Anonymous

    Contrary to popular belief, two gotos are not always better than one. In some cases, they may overflow the Internet goto buffer and wrap around the value of the goto such that it disables TLS. Oops.

Pwnie for Best Privilege Escalation Bug

Awarded to the person who discovered or exploited the most technically sophisticated and interesting privilege escalation vulnerability. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.

  • AFD.sys Dangling Pointer Vulnerability (CVE-2014-1767)

    Credit: Sebastian Apelt

    Filling in this year for win32k.sys, AFD.sys helped Sebastian win pwn2own 2014. This exploit is a great example of using a kernel exploit to escape the Internet Explorer 11 sandbox on Windows 8.1.

  • VirtualBox VM Breakout using 3D Acceleration (CVE-2014-0981)

    Credit: Francisco Falcon

    Oracle’s VirtualBox allows guest virtual machines to perform quick 3D operations. Francisco found several vulnerabilities in this interface and exploited them to escape from the guest virtual machine into the host.

  • Linux Futex Bug (CVE-2014-3153)

    Credit: Comex and Geohot

    How epic can a bug be if it is found by comex and then exploited by geohot? This exploited the Linux kernel to get root on the Samsung Galexy S5 and many Linux distributions.

  • evasi0n iOS 7.0 jailbreak

    Credit: evad3rs

    For the second year in a row, the evad3rs team gets a Pwnie nomination for exploiting Apple iOS. This time they chained together at least 4 exploits, to defeat code signing and exploit the iOS kernel.

  • Pangu iOS 7.1 Jailbreak

    Credit: Pangu, Stefan Esser and maybe others

    What's more exciting than one iOS jailbreak? Two iOS jailbreaks. A new team hit the jailbreak scene in 2014 with a jailbreak for Apple iOS 7.1. Tracing the origin of the bugs is difficult, because Stefan Esser claimed that parts of the jailbreak were taken from his iOS training class, and who knows who else had the same bugs. The lesson is something hackers should have learned years ago: if you disclose your bugs even to a single person they probably going to be leaked.

Pwnie for Most Innovative Research

Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.

  • Hardware-assisted Memory Corruptions

    Ralf-Philipp Weinmann

    Ralf explored the exploitability of hardware bug conditions, specifically ARM errata, that may be triggerable by software and lead to memory corruption. His work shed light on a whole new area not too many have been considering before and could have major implications further down the road.

  • Bypassing Windows 8.1 Mitigations using Unsafe COM Objects

    James Forshaw

    James Forshaw demonstrated a new technique for exploiting memory corruption where the only value you could write is the number 0. His research overcame existing exploitation mitigations and was led to him winning the first Microsoft Mitigation Bypass bounty.

  • RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis

    Daniel Genkin, Adi Shamir, Eran Tromer

    In this fascinating paper, the authors describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG's current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. They experimentally demonstrated that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away.

  • Windows 8 UEFI Secure Boot Bypasses

    Yuriy Bulygin, Andrew Furtak, Oleksandr Bazhaniuk, John Loucaides from Intel Security, Corey Kallenberg, Xeno Kovah, John Butterworth, Sam Cornwell

    This is a joint nomination for researchers from Intel and MITRE who presented Secure Boot bypasses from kernel mode in 2013 and followed it up with multiple attacks from user mode in 2014.

  • Hacking Blind

    Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazieres, Dan Boneh

    The researchers presented a blind ROP technique for exploiting remote stack overflow vulnerabilities and bypassing both ASLR and NX without having access to the target binary. While not a particulalry novel idea, their implementation was impressive.

Pwnie for Lamest Vendor Response

Awarded to the vendor who mishandled a security vulnerability most spectacularly.

  • OpenCart PHP Object Injection Vulnerability

    Daniel from OpenCart

    This is probably not the best way to respond to a security researcher:

    "I tried to be polite in reporting the issue, firstly using your contact form and then (seeing I haven't received any reply) using your community forum. I just asked for an email address where to send the vulnerability's details,"

    it was not ignored dick head why lie! are you a professional or not? professionals don't need to lie to prove a point they use facts!

  • Fired, I?

    FireEye

    To report vulnerabilities in FireEye products, please email security[at]FireEye.com. Uhh, Ouch.
    No thanks.

  • AVG Remote Administration Insecure "By Design"

    AVG

    Declaring reported security weaknesses "by design" is so much less work than actually fixing them. Hey, anybody want to get some fro-yo?

  • Faulty Ignition Switch

    General Motors

    Wikipedia When an issue is handled well, the CEO is rarely dragged before Congress and told by a Senator that, "You don't know anything about anything."

    Why is this being nominated for a Pwnie? Because like it or not, cars are running increasingly more complex software and can now get hacked remotely. Welcome to the "Internet of Explodey Things".

Pwnie for Best Song

What kind of awards ceremony does not have an award for best song?

  • "I'm a C I Double S P"

    Host Unknown

    Video

  • "Memory Corruption"

    NYAN

    Video

  • "Expect Us (We Are Anonymous)"

    Z0ph0kl3z

    Song

  • "Security Kate"

    Dale Chase

    Song

  • "The SSL Smiley Song"

    0xabad1dea

    Song

Pwnie for Most Epic FAIL

Sometimes giving 110% just makes your FAIL that much more epic. And what use would the Internet be if it wasn't there to document this FAIL for all time? This award is to honor a person or company's spectacularly epic FAIL.

  • Goto Fail

    Apple

    We don't take kindly to "Pwnie Bait" vulnerabilities that have been introduced and named just to earn the coveted Epic FAIL Pwnie, but we'll let this one slide, Apple.

  • Heartbleed

    Open Source Community

    Eric S. Raymond's "The Cathedral and the Bazaar" contained what has become known as Linus' Law: "Given enough eyeballs, all bugs are shallow." Every Psychology 101 textbook, however, also describes The Bystander Effect, or Diffusion of Responsibility whereby a person is less likely to take responsibility for action or inaction when others are present. Heartbleed faught Linus' Law and Heartbleed won.

  • Target Breach

    Target

    FireEye detected it, 24x7 outsourced information security monitoring saw alert and notified Target's SOC, who promptly... hey, anybody want to get some fro-yo?

  • ISC2 Optional Membership Fee

    ISC2

    The (ISC)^2 website had a vulnerability where one could submit a negative amount for their membership fees and get it for free. If anyone knows any information security professionals, can you ask them to give this non-profit some pro-bono help?

Pwnie for Epic 0wnage

0wnage, measured in owws, can be delivered in mass quantities to a single organization or distributed across the wider Internet population. The Epic 0wnage award goes to the hackers responsible for delivering the most damaging, widely publicized, or hilarious 0wnage. This award can also be awarded to the researcher responsible for disclosing the vulnerability or exploit that resulted in delivering the most owws across the Internet.

  • Heartbleed (CVE-2014-0160)

    Credit: Neel Mehta and Codenomicon

    You may have heard of this vulnerability called heartbleed. It affected over 500,000 servers on the internet. It also made half of the internet change their passwords. There is even a website that gives you bytes of memory from random servers on the Internet. Heartbleed also had the largest advertising budget of any Pwnie nomination this year.

  • Target Breach

    Anonymous

    Largest credit card breach in history. Owww.

  • Inputs.io

    Anonymous

    Their parting words of wisdom:

    “Please don’t store Bitcoins on an internet connected device, regardless of [if] it is your own or a service’s.”

  • Mt. Gox

    Mark Karpelès

    The world's largest bitcoin exchange pumps up the price of BTC well above competing exchanges, stops allowing cash withdrawals, blocks bitcoin withdrawals, and finally comes crashing down claiming that they were hacked. All of this from an ex-pat CEO living in Japan who was convicted of crimes in his home country in absentia. Hundreds of millions of dollars went missing and all blockchain analysis points to Mr. Karpelès either being the dumbest developer in the history of mankind or complicit in the theft of Mt. Gox user's funds.

Calendar
Aug
3
The list of nominees is announced.
Aug
6
Awards ceremony at the BlackHat USA conference in Las Vegas.
Awards Ceremony
when 6:30pm, Wed, Aug 6th 2014
where Blackhat USA conference, Mandaley Bay, Las Vegas