Pwnie Award Winners 2023

Best Cryptographic Attack

Awarded to the researchers who discovered the most impactful cryptographic attack against real-world systems. A Pwnie Cryptography Award should represent a meaningful break in a system actually deployed. The attack can require a math Ph.D to understand its workings, but not to understand its impact, and it can’t require a data center in Utah to exploit.


Video-based cryptanalysis: Extracting Cryptographic Keys from Video Footage of a Device’s Power LED

Ben Nassi

A new cryptanalytic side-channel attack using the RGB values of the device's LED. This is a really cool one. They basically recorded an LED on a phone, and then through the RGB values, were able to cryptographically break it. https://eprint.iacr.org/2023/923


Best Desktop Bug

Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting desktop bug.


CountExposure!

@b2ahex

Sneaky malware (CVE-2022-22036) has found a new playmate for local privilege escalation and sandbox escape adventures! It's the first bug that's been released at least in the last decade about performance counters in Windows.


Best Privilege Escalation Bug

Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting privilege escalation vulnerability. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.


URB Excalibur: Slicing Through the Gordian Knot of VMware VM Escapes

@danis_jiang and @0x140ceURB

https://www.vmware.com/security/advisories/VMSA-2022-0033.html) This team successfully performed VM escapes across all VMware virtual machine products: Workstation, Fusion, and ESXi (within the sandbox), making it the only VMware VM escape at pwn2own last year. We love this because VMware escapes are really difficult, and these guys managed to find one. ... It's very hard work to do, they pulled it off – props.


Best Remote Code Execution Bug

Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting RCE Bug. This includes any software that is accessible remotely without using user interaction.


ClamAV RCE

@scannell_simon

ClamAV RCE (CVE-2023-20032): ASLR bypass technique enabling 0 click server side exploits


Best Song

What kind of awards ceremony does not have an award for best song? What can we say, security researchers, engineers, and the entire community can be considered a “multi-talented” group of people.


Clickin’

Ohm-I
Clickin' by Ohm-I (https://mcohmi.bandcamp.com/track/clickin)


Epic Achievement

Awarded to the researchers, attackers, defenders, executives, journalists, nobodies, randos, or trolls for pulling off something so truly epic that we couldn’t possibly have predicted it by creating an award category that did it justice.


Clement Lecigne: 0-days hunter world champion

@_clem1

Clement Lecigne burned 33 in-the-wild 0-days since 2014 and has found 8 0-days already so far this year. If you find it in the wild, I don't know if that counts as your bug or not. Finders keepers, maybe? I don't know.


Lamest Vendor Response

Awarded to the vendor who mis-handled a security vulnerability most spectacularly.


Three Lessons From Threema: Analysis of a Secure Messenger

Threema

A new canonical example for "blog post of butthurt": https://threema.ch/en/blog/posts/news-alleged-weaknesses-statement). Punching down is always lame, Threema.


Lifetime Achievement Award

Most hackers have the personality of a supermodel who does discrete mathematics for fun. Like mathematicians, hackers get off on solving very obscure and difficult to even explain problems. Like models, hackers wear a lot of black, think they are more famous than they are, and their career effectively ends at age 30. Either way, upon entering one’s third decade, it is time to put down the disassembler and consider a relaxing job in management.


Mudge

Peiter Zatko

Mudge — sometimes called Peiter Zatko, the L0pht hacker who grew up to work for DARPA, Google, Stripe, and, most notoriously, Twitter (before accepting his current role at Rapid7) — deserves to win this award at least twice. This is a lifetime achievement award for everything you've done to create the industry and put it into a place where it exists and it's real. So, thank you.


Most Epic Fail

This award is for the defenders who dared to wonder, “What could possibly go wrong?” For the investors who happily departed with eight-figure checks for a pitch presenting snake oil served over word salads on a fool’s gold platter. For the infosec vendors who adopted defense-by-deception as a marketing strategy. This award will honor a person or corporate entity’s spectacularly epic fail – the kind of fail that lets the entire infosec industry down in its wake. It can be a singular incident, marketing piece, or investment – or a smoldering trail of whale-scale fail.


“Holy fucking bingle, we have the no fly list,”

The Transportation Security Administration

The notorious queer anarchist hacker Maia Crimew discovered the entire TSA no fly list lying around on the internet and had the good graces to let everyone know about it. Did anyone else, like, search for themselves? Did anyone find themselves? No? All right.


Most Innovative Research

Awarded to the researcher or team who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.


Inside Apple’s Lightning: Jtagging the iPhone for Fuzzing and Profit

@ghidraninja

Thomas [Roth] developed an iPhone JTAG cable called the Tamarin Cable and a Lightning Fuzzer. Though the video at https://www.youtube.com/watch?v=8p3Oi4DL0el&t=1s is no longer available, you can still view Roth's DEF CON 30 presentation.


Most Under-Hyped Research

Like good magicians our industry will put a lot of razzle dazzle on the problems we can sell a solution for. But what about the things that are DONTFIX, can’t be scanned for, but are still amazingly cool and high impact? We (as an industry) sweep them under the rug and then they get caught in the UNDERHYPED pwnie awards!


Activation Context Cache Poisoning

Simon Zuckerbraun at Trendmicro

(https://www.thezdi.com/blog/2023/1/23/activation-context-cache-poisoning-exploiting-csrss-for-privilege-escalation). This nomination highlights a new class of privilege escalation vulnerabilities, known as activation context cache poisoning. This technique was being actively used by an Austrian hack-for-hire group tracked by Microsoft as KNOTWEED"