Nominations for Pwnie Awards 2009
Pwnie for Best Server-Side Bug
Awarded to the person who discovered the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.
djbdns Cache-Poisoning Vulnerability (CVE-2009-0858)
Dan J. Bernstein had a long standing security guarantee offering $1000 to the first person to publicly report a security vulnerability in djbdns. Finally after roughly 18 years of djbdns development, a qualifying security vulnerability was reported by Matthew Dempsky and he was awarded the $1000 prize.
Linux SCTP FWD Chunk Memory Corruption (CVE-2009-0065)
Remote kernel memory corruption vulnerabilities are rare, remote kernel memory corruption vulnerabilities that are reliably exploitable are even more rare. This vulnerability was a memory corruption in the Linux 2.6 kernel SCTP stack. After a number of the Linux distributions released security advisories claiming that the impact of this bug was only denial of service, sgrakkyu wrote an exploit that actually demonstrated that it was much more serious. The exploit works against vulnerable x86-64 hosts, disabling SELinux if necessary, and popping a remote connect-back shell for the attacker. Good show.
Microsoft IIS 6.0 WebDAV Remote Authentication Bypass (CVE-2009-1535)
Amazingly undiscovered until just recently, the same unicode escape sequence that could be used in the IIS Unicode Directory Traversal vulnerability of MS00-057, can also be used to bypass authentication on IIS password-protected directories through WebDAV HTTP requests. This vulnerability was released to Full-Disclosure by Kingcope, a previous Pwnie Award winner.
Pwnie for Best Privilege Escalation Bug
Award to the person who discovered and/or exploited the most technically sophisticated and interesting privilege escalation vulnerability. As more defense-in-depth systems like Mandatory Access Control and Virtualization are deployed, privilege escalation vulnerabilities are becoming more important. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.
Linux udev Netlink Message Privilege Escalation (CVE-2009-1185)
In the midst of all the Linux kernel security debates about exploiting NULL function pointer dereferences, Cheddar Bay, transparency regarding known or potential security issues, Cheddar Bay, and the protection afforded by LSMs running within an insecure kernel, Cheddar Bay, sometimes the very simple yet damaging vulnerabilities don't get nearly the attention they deserve. This is one such vulnerability.
Sebastian Krahmer identified a vulnerability in udevd where it incorrectly assumed that messages arriving on its NETLINK socket would always come from the kernel. Any local unprivileged user may send a unicast or multicast NETLINK message to udevd, which it will treat as a privileged message from the kernel. This would allow a user to (for example) instruct udevd to create a /dev/random device file with chosen minor and major device numbers, giving RWX permissions to any device that the attacker chooses. That's game over, kids.
VMware Display Function Host Code Execution from Guest (CVE-2009-1244)
For most people, VM escape exploits are like unicorns. They have heard about them, read about them, but they've never seen one. To assist with this, Immunity provides a nice video of Kostya's CLOUDBURST exploit in action proving that, like unicorns, VM escape exploits are very real.
Pwnie for Best Client-Side Bug
Awarded to the person who discovered the most technically sophisticated and interesting client-side bug. These days, ‘client’ is pretty much synonymous with ‘web browser’, but don't forget about all the media player integer overflows!
Java Calendar Object Deserialization Sandbox Privilege Escalation (CVE-2008-5353)
When I was young, my mother would always warn me, "Don't go deserializing untrusted object input streams in a privileged context." The Java Calendar class did not heed this warning and, as expected, bad things were possible. As Sami discovered, when the object is deserialized, it is instantiated, but not by calling it's constructor. That'd be too easy. When a subclass of a non-serializable class is deserialized, then the non-serializable parent class' constructor is called and the sub-class' fields are explicitly deserialized. Got that? Good. Well, if the attacker subclasses a class with a constructor that unprivileged code should not be able to call (i.e. ClassLoader), the deserialization calls the constructor within the doPrivileged() block and then explicitly sets the sub-class' fields, which can be used to snarf a reference to the instantiated super class (ClassLoader). In a Java applet, this reference is a "get out of jail free" card.
Sami and Julien ended up exploiting this vulnerability on Firefox and Safari for Mac OS X on the first day of Pwn2own 2009, but it was disqualified because it had already been reported to the vendor. Haven't they learned from Charlie Miller that you are supposed to sit on the vulnerability all year until Pwn2own?
msvidctl.dll MPEG2TuneRequest Stack buffer overflow (CVE-2008-0015)
At first glance, this bug may appear to just be yet-another vulnerability in an ActiveX component. Easily exploited vulnerabilities in ActiveX components typically lead to malware outbreaks all over the Interwebs and that's exactly what happened with this one. But ActiveX component bugs are hardly the stuff that Pwnie Awards are made of. As more people begin to research this vulnerability, it became clear that the vulnerability was not in the ActiveX component's code, but instead in the ATL code (IPersistStreamInit::Load) staticly built into it. Oh, snap. It's a kill-bit bloodbath out there.
As this vulnerability had begun to be exploited in the wild prior to its scheduled patch release, it conveniently became eligible for this year's Pwnie Awards. Don't let its CVE number fool you, this wasn't one of last year's bugs. Microsoft was sitting on this vulnerability for somewhere around 16 months.
No, LittleCMS is not some budding programmer's first PHP content management system. It's one of those subtle (and buggy) libraries that ends up burrowing its way into too many other products. In thise case, LittleCMS is a color management library used to handle color profiles for JPEG images. And this little library that could happened to find itself used by ImageMagick, OpenJDK, and some beta releases of Firefox 3.1. Throw in some memory corruption and that's enough to 0wn up some Linux desktops.
Pwnie for Mass 0wnage
Awarded to the person who discovered the bug that resulted in the most widespread exploitation or affected the most users. Also known as ‘Pwnie for Breaking the Internet.’
Microsoft Windows MS08-067 Server Service Worms (CVE-2008-4250)
Known by such seductive names as Trojan.Gimmiv.A, W32.Wecorl, W32.Downadup, and Conficker, the worms utilizing the Windows Server Service overflow to propogate turned most of the internet's Windows desktops into mushy piles of malware over the course of six months. The flaw itself, like most of the good bugs in Microsoft products, was being exploited in the wild for an unknown period of time before being picked up by the Microsoft Security Response Team. While the early worms just annoyed and confused, Conficker (named based on a domain name found in the original binary), continues to exploit new systems to this day. Conficker managed to infect everything from the UK Air Force to the City of Houston municipal court, along with millions of systems in between. Although dozens of speeders and small-time drug dealers in Houston appreciated the impact of Conficker, it was still considered one of the worst worms of 2008.
China's Ministry of Industry and Information Technology deserves shared credit for this vulnerability by mandating the installation of this embarassingly insecure software on every computer in the world's most populous country. Worst. National. Backdoor. Ever.
Red Hat Networks Backdoored OpenSSH Packages (CVE-2008-4250)
Shortly after Black Hat and Defcon last year, Red Hat noticed that not only had someone backdoored the OpenSSH packages that some of their mirrors were distributing, but managed to sign the packages with Red Hat's own private key. Instead of revoking the key and releasing all new packages, they instead just updated the backdoored packages with clean copies, still signed by the same key, and released a shell script to scan for the MD5 checksums of the affected packages. What makes this eligible for the "mass0wnage" award is that nobody is quite sure how many systems were compromised or what other keys and packages the attackers were able to access. With very little public information available, the real casuality was the public's trust in the integrity of Red Hat's packages.
Pwnie for Best Research
Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.
In another of his creatively-named research projects, Piotr Bania created MmmBop, an advanded automatic unpacker using dynamic binary instrumentation. Using his own custom dynamic binary instrumentation (DBI) engine, Piotr developed an automatic unpacker for Windows capable of automatically unpacking some popular binary packers.
This comprehensive and well presented guide to Symbian vulnerability research covers the entire process from analyzing Symbian OS, to reversing, debugging, and fuzzing bugs out of it. And just for good measure, he shook out 14 crashes from the Symbian Media Player. Overall, an excellent documentation of vulnerability discovery on Symbian.
Get a bunch of hackers and academic cryptographers together, and look what they do: They break the Internet. Employing advances in generating chosen-prefix collisions in MD5, a cluster of PlayStation 3s, and a web-based manipulation of a Certificate Authority that had been using MD5 well past its usefulness, this crack team was able to make their own trusted rogue Certificate Authority certificate that is trusted by all common web browsers.
Lamest Vendor Response
Awarded to the vendor who mishandled a security vulnerability most spectacularly.
Too JBIG for their own britches
Continually assuming that all kernel memory corruption bugs are only Denial-of-Service
The Linux kernel development team was nominated several times over for their ongoing lack of handling of bugs of "unknown impact" and generally assuming that all kernel memory corruption issues are only Denial-of-Service issues. Here's a hint: Just because you can only get a DoS from a bug, doesn't mean that skilled hackers can't get a root shell out of it.
This nomination is part of a multi-year legacy. Last year, the "Safari Carpet Bomb" or "Blended Threat" received a Pwnie nomination for Best Client-Side Bug, and since it took Microsoft until April of this year to finally patch it the issue Aviv found in December 2006, they get this nomination for Lamest Vendor Response.
Pwnie for Most Overhyped Bug
Awarded to the person who discovered a bug resulting in the most hype on the Internets and in the mainstream media. Bonus points for bugs that turn out to be impossible to exploit in practice. Also known as ‘Pwnie for Pwning the Media.’
MS08-067 Server Service NetpwPathCanonicalize() Stack Overflow (CVE-2008-4250)
Notice the intention cross-nomination of this vulnerability. The worm taking advantage of this vulnerability, Conficker, had been a mainstay in the trade press for at least half of the year. Also known as the InfoSec Press Full Employment Act of 2009.
Unspecified OpenSSH 0day
The unsubstantiated reports of this vulnerability resulted in a number of rash reactions, incuding one ISP that decided to disable all of SSH daemons. We hope they had serial consoles for their servers.
Of course, the best way to ensure that a talk gets hyped is to get it canceled, which is already becoming a regular occurrence at information security conferences. In fact, conferences should get in on the action by sponsoring betting pools on which talk is going to get pulled, perhaps in their automated talk review systems (hint, hint). Side bets for which presenters will quit their jobs and present their material anyway should definitely be allowed.
Jeremiah Grossman and Robert Hansen's Clickjacking talk at OWASP 2009 was canceled in this way, and when the salacious information finally hit the Internet, it of course already fully protected against it. It's a good thing Adobe protected everyone by asking these researchers to keep mum about their security issues. Maybe they should ask all of those nasty spear phishers abusing Adobe Reader 0day to do the same since it apparently works so well.
Pwnie for Best Song
What kind of awards ceremony does not have an award for best song? There is strangely enough a long tradition of hacker-written songs and raps (parodies and originals). And in Pwnies past, we somehow coerced HD and Halvar to rap some of these. And rather then let it become anyone else's turn, we have a new rule. Nominations for 'Best Song' must actually have audio. For your listening pleasure, the nominees are:
This is your career on life support (whaaat?)
and we're not white hats tryin to write reports
any box can be popped with the right resource
so your threat model's worthless, NICE REPORT
The lyrics are great and the video has great production quality. Let's just say that we are looking forward to covers of this song.
Listening to this song sends me to a happy place with Angelina Jolie, roller blading through the streets, and absurd clothing. No, I'm not talking about Miami, but the movie "Hackers". Frank^2 puts a hacker hip-hop spin on "The Voodoo People" by The Prodigy.
Pwnie for Most Epic FAIL
Sometimes giving 110% just makes your FAIL that much more epic. And what use would the Internet be if it wasn't there to document this FAIL for all time?
This award is to honor a person or company's spectacularly epic FAIL.
StrongWebmail CEO's mail hacked via XSS
Apparently StrongWebmail didn't hear about how well the whole "Unbreakable" thing worked out for Oracle. Or maybe we all naively think that advertising your product/service as "hack-proof" and being prompted hacked right aftwards is bad for PR. In fact, no one would have probably heard of this company if they weren't so easily hacked after launching their contest. Either way, Lance James, Aviv Raff, and Mike Bailey owned them up quick n' good, finding an XSS vulnerability within a few minutes and getting then perfecting their attack over the next 6 hours.
StrongWebmail is quoted as promising to relaunch a new competition after they fix the identified XSS vulnerability and "won't rest until we have created the most secure e-mail in the world." Let's hope they keep true to their plans to fully employ the entire information security industry.
Twitter Gets Hacked and the "Cloud Crisis"
If you live by Web 2.0, you die by Web 2.0. Storing documents in the "cloud" gets you ease of access, it's cheap, it's easy, and as long as you care nothing about security, it's a no brainer. Twitter was rife with XSS and CSRF worms this year, which annoyed many a "securitytwit", but were sideshows to its rapidly growing user-base. But this year Twitter learned the hard way that when your entire security rests in the cloud, it only takes one unused hotmail account and a bored teenager to get your entire business plan, all your employee's personal information, and administrative access to your 55 million dollar web application. According to Twitter's top secret internal documents (now published on Techcrunch) "Are we building a new Internet?!?" Well if they are, it's one that needs more security.
Linux default kernel security
Last year, Linus Torvalds and the Linux kernel team were nominated for the Lamest Vendor Response Pwnie. This year, they were nominated for Most Epic FAIL due to the results of their continual response to security vulnerabilities. Here are some highlights of Linux's Year in Security 2009:
- 4 byte overflow resulting in reliable remote disabling of SELinux
- Improperly patching a 7 year running local bypass of a flawed ASLR implementation
- Arbitrary root command execution via an environment variable
- Silent disclosure of numerous kernel vulnerabilities
Finally, as descibed in a Usenix HotOS paper:
An attacker seeking to exploit unidentified vulnerabilities in Linux bug-fix disclosures would have, as Figure 2 shows, between 4 and 16 bugs with hidden impact waiting for him or her at any time in the last three years.
Lifetime Achievement Award
Most hackers have the personality of a supermodel who does discrete mathematics for fun. Like mathematicians, hackers get off on solving very obscure and difficult to even explain problems. Like models, hackers wear a lot of black, think they are more famous than they are, and their career effectively ends at age 30. Either way, upon entering one's fourth decade, it is time to put down the disassembler and consider a relaxing job in management.
This award is to honor the previous achievements of those who have moved on to bigger and better things such as management or owning (in the traditional sense) a coffee shop.
An entire generation of reverse engineers, many of whom work or have worked in information security, cut their teeth reading tutorials on Fravia's web site. And maybe they learned a little about philosophy or web searching while they were there. Or at least they learned how to crack that game that they wanted to play.
He's credited with inventing return-into-libc, privilege separation for Unix daemons, and I'm just quoting his Wikipedia page. He also first demonstrated heap buffer overflow exploitation. His password cracker, John the Ripper, has awesome embedded into its every fiber, from being the first cracker to use bitslice DES implementations to doing brute forcing based on statistical frequency of characters.
No, we aren't just trying to suck up to Jeff, he really did get nominated. Besides his notable accomplishments like starting the largest hacking conference in the world and BlackHat, the gracious venue for the Pwnie Awards, he has also just been appointed to the U.S. Department of Homeland Security Advisory Council. Not too shabby.