Pwnie Awards 2013
Winners

The winners of the Pwnie Awards will be announced at a ceremony in Las Vegas on July 31st, 2013.

Pwnie for Best Server-Side Bug

Awarded to the person who discovered or exploited the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.

  • Ruby on Rails YAML (CVE-2013-0156)

    Credit: Ben Murphy

    While lots and lots of Ruby libraries like YAML, Ruby on Rails likes it the most. This vulnerability leads to remote SQL injection and arbitrary Ruby code execution on the server, bringing down a variety of Ruby on Rails web sites.

Pwnie for Best Client-Side Bug

Awarded to the person who discovered or exploited the most technically sophisticated and interesting client-side bug.

  • Adobe Reader Buffer Overflow and Sandbox Escape (CVE-2013-0641)

    Credit: Unknown

    Just in time for last Valentine's day, FireEye found a sophisticated PDF attack in the wild that exploited Adobe Reader and escaped its sandbox. This exploit wanted to show its love for clipboard buffer lengths all in a pure-ROP payload.

Pwnie for Best Privilege Escalation Bug

Awarded to the person who discovered or exploited the most technically sophisticated and interesting privilege escalation vulnerability. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.

  • iOS incomplete codesign bypass and kernel vulnerabilities (CVE-2013-0977, CVE-2013-0978 and CVE-2013-0981

    Credit: David Wang aka planetbeing and the evad3rs team

    According to statistics in February, the evasi0n exploit works for at least 5 million people every time they boot their iPhone. It bypasses code signing by interposing with an incomplete codesign bug in the dynamic loader. It bypasses user space ASLR by using the dynamic linker. It exploits an untrusted pointer in the kernel with some help from a heap info leak, the ARM data abort interrupt handler and some techniques by Tarjei Mandt by Mark Dowd.

Pwnie for Most Innovative Research

Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.

  • Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns

    Mateusz "j00ru" Jurczyk, Gynvael Coldwind

    The research consisted of two major parts: employing CPU-level OS instrumentation to locate potential double fetch vulnerabilities in the kernels of different operating systems, and discovering and testing practical means of exploiting such memory-bound race conditions in practical scenarios. Not only the topic is interesting, but bochspwn was used to find at least 37 vulnerabilities in windows kernel / drivers (plus some minor system crashes).

Pwnie for Best Song

What kind of awards ceremony does not have an award for best song?

  • All the Things

    Dual Core

    Something tells me that this song's chorus will be quite popular in Vegas this year...

    YouTube

Pwnie for Most Epic FAIL

Sometimes giving 110% just makes your FAIL that much more epic. And what use would the Internet be if it wasn't there to document this FAIL for all time? This award is to honor a person or company's spectacularly epic FAIL.

  • Nmap: The Internet Considered Harmful - DARPA Inference Checking Kludge Scanning

    Hackin9

    Quoting from the artile published in Hackin9 magazine: "The concept of autonomous methodologies has been studied before in the literature [18]. Next, the well-known framework by David Johnson et al. does not store Smalltalk as well as our method. Further, Wilson and Zhao [19] originally articulated the need for the understanding of linked lists. It remains to be seen how valuable this research is to the software engineering community. Ultimately, the methodology of R. Zhao et al. is a theoretical choice for the exploration of super-pages. Our design avoids this overhead."

    We couldn't have said it better.

Pwnie for Epic 0wnage

0wnage, measured in owws, can be delivered in mass quantities to a single organization or distributed across the wider Internet population. The Epic 0wnage award goes to the hackers responsible for delivering the most damaging, widely publicized, or hilarious 0wnage. This award can also be awarded to the researcher responsible for disclosing the vulnerability or exploit that resulted in delivering the most owws across the Internet.

  • Joint award to Edward Snowden and the NSA

    Edward Snowden's leak of NSA secrets was an epic example of the insider threat to information security, while his revalations convinced many that the entire Internet is thoroughly and epicly owned!

Pwnie for Lifetime Achievement

Awarded to those of us who have moved on to bigger and better things.

  • Barnaby Jack

Calendar
Jul
27
The list of nominees is announced.
Jul
31
The winners were announced at an awards ceremony at the BlackHat USA conference.
Awards Ceremony
when 6:30pm, Wed, Jul 31st 2013
where Blackhat USA conference, AUGUSTUS III+IV Ballroom, Caeser's Palace, Las Vegas