Pwnie Awards 2015

Pwnie for Best Server-Side Bug

Awarded to the person who discovered or exploited the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.

  • SAP LZC LZH Compression Multiple Vulnerabilities (CVE-2015-2278, CVE-2015-2282)

    Credit: Martin Gallo

    SAP products make use of a proprietary implementation of the Lempel-Ziv-Thomas (LZC) adaptive dictionary compression algorithm and the Lempel-Ziv-Huffman (LZH) compression algorithm. These compression algorithms are used across several SAP products and programs. Vulnerabilities were found in the decompression routines that could be triggered in different scenarios, and could lead to execution of arbitrary code and denial of service conditions. Basically a single bug that pwns almost ALL SAP products and services.

Pwnie for Best Client-Side Bug

Awarded to the person who discovered or exploited the most technically sophisticated and interesting client-side bug.

  • Will it BLEND? (CVE-2015-0093, CVE-2015-3052)

    Credit: Mateusz ‘j00ru’ Jurczyk

    The "BLEND" opcode font bug was in a shared code base used both in Adobe Reader font renderer and Microsoft Windows Kernel (32-bit) font renderer. It allowed both to get code execution in Adobe Reader using a font embedded in a PDF file, and to later escape the sandbox and get SYSTEM rights by exploiting the exact same bug in the shared codebase in the Windows Kernel (ATMFD.DLL driver, part of Windows GDI).

Pwnie for Best Privilege Escalation Bug

Awarded to the person who discovered or exploited the most technically sophisticated and interesting privilege escalation vulnerability. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.

  • UEFI SMM Privilege Escalation

    Credit: Corey Kallenberg

    Firmware update code in the open source UEFI reference implementation was identified as containing several vulnerabilities last year. Successful exploitation resulted in the ability for a privileged ring 3 process to stage a payload in the context of the firmware and then invoke and exploit the vulnerable UEFI firmware update code. This userland (ring 3) to firmware/SMM ("ring -2") privilege escalation vulnerability is present on the majority of PC OEMs, affecting over 500+ *models* from HP alone. Other vendors have also issued patches for dozens of their models, and because the UEFI reference implementation is used as the starting point by many OEMs, many other vendors are known to be vulnerable that will probably never acknowledge it, or release patches. Work by Corey Kallenberg, Xeno Kovah, John Butterworth and Sam Cornwell.

Pwnie for Most Innovative Research

Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.

  • Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice

    Credit: David Adrian et al.

    This paper introduces the Logjam attack, a vulnerability that allows a man-in-the-middle attacker to downgrade TLS connections to 512-bit export-grade Diffie-Hellman and recover the session keys. It then goes on to make a convincing case that the NSA is already doing this for 1024-bit Diffie-Hellman. Although this would require an enormous investment in computing power (perhaps the biggest secret crypto project since WW II), it would allow them to passively eavesdrop on about half of encrypted VPN and SSH traffic. This explanation precisely fits the crypto breaks described in the Snowden leaks. This paper is a landmark result, in that it uncovers a major blindspot in the relation between crypto theory and security practice, introduces a novel TLS break that is practical to exploit today, and solves a major open question about government mass surveillance capabilities.

Pwnie for Lamest Vendor Response

Awarded to the vendor who mishandled a security vulnerability most spectacularly.

  • "A Peek Under The Blue Coat"

    Credit: BlueCoat

    The bluecoats are coming! The bluecoats are coming! ... for your talk.

    BlueCoat, the web proxy hardware of choice for silently intercepting and blocking SSL traffic, proved itself also quite capable at silently intercepting and blocking security research. Raphaël Rigo was to present his research on the internals of BlueCoat's ProxySG operating system at SyScan this year, but BlueCoat blocked it. Well-known CISOs became enraged and refused spending their budget on them while security researchers on Twitter reacted more diplomatically.

Pwnie for Most Overhyped Bug

Awarded to the person who discovered a bug resulting in the most hype on the Internets and in the traditional media. Extra points for bugs that turn out to be impossible to exploit in practice.

Pwnie for Best Song

What kind of awards ceremony does not have an award for best song?

  • "Clean Slate"

    Credit: YTCracker

    YTCracker brings the cheese with an 80s synth cyberpunk feel, telling a tale from the perspective of a hacker seeking a clean slate to escape his dark surroundings.


Pwnie for Most Epic FAIL

Sometimes giving 110% just makes your FAIL that much more epic. And what use would the Internet be if it wasn't there to document this FAIL for all time? This award is to honor a person or company's spectacularly epic FAIL.

  • Oh, Please... Man!

    Credit: U.S. Office of Personnel Management

    Remember when you applied for that security clearance and you told a federal employee all the vile things you’ve ever done? Good news, now everyone knows. Wait that might not be good news. Regardless, the OPM let you and everyone else down. So much so, that the USA government might actually be pulling covert agents out of foreign countries. USA #1 (in awful federal data breaches).

Lifetime Achievement Award

Most hackers have the personality of a supermodel who does discrete mathematics for fun. Like mathematicians, hackers get off on solving very obscure and difficult to even explain problems. Like models, hackers wear a lot of black, think they are more famous than they are, and their career effectively ends at age 30. Either way, upon entering one's third decade, it is time to put down the disassembler and consider a relaxing job in management.

This award is to honor the previous achievements of those who have moved on to bigger and better things such as management or owning (in the traditional sense) a coffee shop.

  • Halvar Flake

    His LinkedIn title reads "staff engineer" which is typical underplayed Halvar. We can't even begin to list his achievements and industry input here. Google him, and not just because they bought him.

Pwnie for Epic 0wnage

0wnage, measured in owws, can be delivered in mass quantities to a single organization or distributed across the wider Internet population. The Epic 0wnage award goes to the hackers responsible for delivering the most damaging, widely publicized, or hilarious 0wnage. This award can also be awarded to the researcher responsible for disclosing the vulnerability or exploit that resulted in delivering the most owws across the Internet.

  • Hacking Team

    Credit: Maybe China

    That's a spicy mal-a-ware! Hacker Daytime Television (also known as Twitter) hasn't been this good in years.

2016 Nominations open.
Awards ceremony at the BlackHat USA conference in Las Vegas.
Awards Ceremony
when Wed, Aug 3rd 2016
where BlackHat USA 2016, Mandalay Bay, Las Vegas