Pwnie Award Winners 2022

Best Cryptographic Attack

Awarded to the researchers who discovered the most impactful cryptographic attack against real-world systems. A Pwnie Cryptography Award should represent a meaningful break in a system actually deployed. The attack can require a math Ph.D to understand its workings, but not to understand its impact, and it can’t require a data center in Utah to exploit.


Hertzbleed: Turning Power Side-Channel Attacks Into Remote Timing Attacks on x86

Researchers: [email protected], [email protected], [email protected], [email protected], [email protected]

This is a *remote timing* attack on *constant-time* implementations of SIKE, a post quantum key encapsulation mechanism that is currently a finalist in NIST’s PQC competition. This attack is enabled by a new side channel called Hertzbleed, as well as new cryptanalysis techniques. As a result of this attack, mitigations were deployed to both Cloudflare’s and Microsoft’s implementations of SIKE, incurring performance overheads of 5% and 11%.

The Hertzbleed side channel takes advantage of the discovery that, under certain circumstances, dynamic CPU frequency adjustments on modern x86 processors depend on the data being processed, and these adjustments directly translate to execution time differences (as 1 hertz = 1 cycle per second). The attack on SIKE shows that, using Hertzbleed, ​​a clever attacker can perform *full key extraction* via remote timing, despite SIKE being implemented as “constant time” and despite its “well-understood” side channel posture. An unoptimized version of the attack recovers the full key from the Cloudflare’s and Microsoft’s implementations in 36 and 89 hours, respectively. The cryptanalytic details of the attack are described in the research paper.

The takeaway of this attack is that the current cryptographic engineering practices for how to write constant-time code are no longer sufficient to guarantee constant time execution of software on modern processors. Indeed, as a result of this attack, Intel had to release new software guidance for cryptography implementations.


Best Desktop Bug

Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting desktop bug.


Architecturally Leaking Data from the Microarchitecture

Researcher Names: Pietro Borrello, Andreas Kogler, Martin Schwarzl, Moritz Lipp, Daniel Gruss, Michael Schwarz

AEPIC Leak: the first architectural CPU bug that leaks stale data from the microarchitecture without using a side channel.

AEPIC Leak is a new architectural CPU bug which can leak data without even using a side channel. AEPIC Leak works on the latest CPUs from one of the major CPU vendors, and allows attacks against Trusted Execution Environments. It targets leaking data in use, e.g., register values and memory loads, as well as data at rest, e.g., data pages. AEPIC Leak introduces techniques to improve the control of these leaks, which allows our end-to-end attack to extract secret data from a TEE within a few seconds. AEPIC Leak is not a transient execution attack, but an architectural bug leveraged to disclose data.

AEPIC Leak is the first architectural CPU bug that leaks stale data from the microarchitecture without using a side channel. AEPIC Leak works on all recent Sunny-Cove-based Intel CPUs (i.e., Ice Lake and Alder Lake) and does not require hyperthreading enabled. It is not a transient execution attack and it architecturally leaks stale data incorrectly returned by reading undefined APIC-register ranges. AEPIC Leak samples data transferred between the L2 and last-level cache, including SGX enclave data, from the superqueue. It targets data in use, e.g., register values and memory loads, as well as data at rest, e.g., SGX-enclave data pages. Even if AEPIC Leak is a sampling-based attack, we introduce techniques to precisely influence from which page and offset the attack leaks from.

The end-to-end attack extracts AES-NI, RSA, and even the Intel SGX attestation keys from enclaves within a few seconds. The only short-term mitigations for AEPIC Leak are to disable APIC MMIO or not rely on SGX.


Best Mobile Bug

Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting mobile bug.


FORCEDENTRY

Turing complete exploit in an image file parser.

https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html


Best Privilege Escalation Bug

Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting privilege escalation vulnerability. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.


Mystique in the House: The Droid Vulnerability Chain That Owns All Your Userspace

Researchers Name: @dawnseclab

Nominating for the `mystique` bug, i.e. CVE-2021-0691 and other bugs in the chain in multiple vendors like Samsung, Xiaomi, Oppo including CVE-2021-25450, CVE-2021-25485 and CVE-2021-23243, that allows an application with zero permission to execute code in any other applications. Details of this research can be found at the whitepaper https://dawnslab.jd.com/mystique-paper/mystique-paper.pdf and delivered talk in CanSecWest 22 https://dawnslab.jd.com/mystique-paper/CSW22-mystique.pdf

Actually the core of this bug chain (CVE-2021-0691) is just one line of change in the android SELinux policy. One line of change, and the whole sandbox collapsed. Combined with multiple bugs in vendors, they achieved almost super power in the userspace.


Best Remote Code Execution Bug

Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting RCE Bug. This includes any software that is accessible remotely without using user interaction.


Windows RPC Runtime Remote Code Execution (CVE-2022-26809)

Link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809

Researchers: https://twitter.com/KunlunLab

The Remote Procedure Call (RPC) is used everywhere in windows system. In 2021 BugHunter010 at Cyber KunLun Lab discovered a heap-buffer-overflow vulnerablity in RPC protocol with CVSS score 9.8. This bug has existed in windows system for more than 20 years and could be exploited in various places/ways to achieve unauthenticated remote code execution/priviledge escalation.


Best Song

What kind of awards ceremony does not have an award for best song? What can we say, security researchers, engineers, and the entire community can be considered a “multi-talented” group of people.


Dialed Up

The Dialed Up song is also a mini-CTF that is completely self-contained in an .mp3 file. The song has a load of phreaking related sounds and samples including a few dozen ring tones, rotary phone sounds, modems, carrier messages and DTMF. The mini-CTF is jeopardy style with around 7 challenges and will have a teaser version available early July and the full contest will be released the week of Black Hat and Defcon.

https://www.youtube.com/watch?v=euMZYqDG4Sc

Epic Achievement

Awarded to the researchers, attackers, defenders, executives, journalists, nobodies, randos, or trolls for pulling off something so truly epic that we couldn’t possibly have predicted it by creating an award category that did it justice.


Yuki Chen’s Windows Server-Side RCE Bugs

This year, security researcher Yuki Chen (@guhe120) has found and reported 50+ server side remote code execution bugs in various components in Micorosft Windows, including the DNS Server, EFS, NFS, LDAP, SMB, RPC, RAS.

Since Microsoft Windows is a mature system which has been continuously researched by researchers all over the world for decades, finding bugs with such volume (50+) and severity (server-side remote code exeuction) in Windows in year 2022 is something epic. And we can't find such a record in Microsoft's security bulletin in the past years.

One example of these bugs is CVE-2022-26809, a pre-auth remote code execution bug in Windows RPC runtime with CVSS 9.8:

https://twitter.com/search?q=CVE-2022-26809

As soon as this bug was published in April 2022, it became hot topic among infosec community immediately and many researchers from different areas started to analyze the bug and tried to figure out the exploit. And this is only one of the 25 RCE bugs Yuki reported that month.


Lamest Vendor Response

Awarded to the vendor who mis-handled a security vulnerability most spectacularly.


Google’s top security teams unilaterally shut down a counterterrorism operation

According to MIT Technology Review:

Google’s security teams publicly exposed a nine-month hacking operation
What wasn’t disclosed: The move shut down an active counter-terrorist operation being conducted by a Western government
The decision has raised alarms inside Google and elsewhere

https://www.technologyreview.com/2021/03/26/1021318/google-security-shut-down-counter-terrorist-us-ally/


Most Epic Fail

This award is for the defenders who dared to wonder, “What could possibly go wrong?” For the investors who happily departed with eight-figure checks for a pitch presenting snake oil served over word salads on a fool’s gold platter. For the infosec vendors who adopted defense-by-deception as a marketing strategy. This award will honor a person or corporate entity’s spectacularly epic fail – the kind of fail that lets the entire infosec industry down in its wake. It can be a singular incident, marketing piece, or investment – or a smoldering trail of whale-scale fail.


HackerOne Employee Caught Stealing Vulnerability Reports for Personal Gains

Failure Name: The HackerOne employee that got owned for trying to sell other peoples bugs.

"The person anonymously disclosed this vulnerability information outside the HackerOne platform with the goal of claiming additional bounties," it said. "In under 24 hours, we worked quickly to contain the incident by identifying the then-employee and cutting off access to data."

The employee, who had access to HackerOne systems between April 4 and June 23, 2022, for triaging vulnerability disclosures associated with different customer programs, has since been terminated by the San Francisco-headquartered company as of June 30.

https://thehackernews.com/2022/07/hackerone-employee-caught-stealing.html


Most Innovative Research

Awarded to the researcher or team who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.


Custom Processing Unit: Tracing and Patching Intel Atom Microcode

Researchers: Pietro Borrello, Martin Schwarzl, Moritz Lipp, Daniel Gruss, Michael Schwarz

We present the first systematic study of Intel Atom Microcode and a software-only framework that can observe, trace, and even patch microcode execution, shedding unprecedented light on the internal workings of Intel CPUs.

We develop a Ghidra decompiler for Atom Microcode and reverse-engineer how the CPU internally uses its control register bus to manage its resources. Resorting to previously disclosed undocumented instructions, we then create a framework that can gain complete control over CPU microcode by replicating such interactions.

Imagine a future where you can customize the behavior of your CPU. It's now here for Atom GLMs.
Our framework can assemble and patch micro-instructions, hook CPU events, and trace microcode execution. To showcase its power, we trace and reverse-engineer the routines involved in the obscure Intel CPU microcode update process.
For the first time, we disclose the details of the decryption algorithms for microcode updates and the binary format of the decrypted update: an amazing discovery is that a microcode update is, in fact, a custom language interpreted by the CPU.
We will make our framework available as open source.


Most Under-Hyped Research

Like good magicians our industry will put a lot of razzle dazzle on the problems we can sell a solution for. But what about the things that are DONTFIX, can’t be scanned for, but are still amazingly cool and high impact? We (as an industry) sweep them under the rug and then they get caught in the UNDERHYPED pwnie awards!


Spoofing IP with IPIP

Researcher Name: Yannay Livneh / PoC||GTFO 21:03

Yannay scanned the Internet for machines that both allowed IP over IP tunneling and had no egress filtering, allowing him to inject raw IP packets into the Internet like we did in the early nineties. He then played "pass-the-parcel" by chaining up these hosts, and left the packets as a PCAP-NG polyglot in pocorgtfo21.pdf.