Winners of Pwnie Awards 2009
Pwnie for Best Server-Side Bug
Awarded to the person who discovered the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.
Linux SCTP FWD Chunk Memory Corruption (CVE-2009-0065)
Remote kernel memory corruption vulnerabilities are rare, remote kernel memory corruption vulnerabilities that are reliably exploitable are even more rare. This vulnerability was a memory corruption in the Linux 2.6 kernel SCTP stack. After a number of the Linux distributions released security advisories claiming that the impact of this bug was only denial of service, sgrakkyu wrote an exploit that actually demonstrated that it was much more serious. The exploit works against vulnerable x86-64 hosts, disabling SELinux if necessary, and popping a remote connect-back shell for the attacker. Good show.
Pwnie for Best Privilege Escalation Bug
Award to the person who discovered and/or exploited the most technically sophisticated and interesting privilege escalation vulnerability. As more defense-in-depth systems like Mandatory Access Control and Virtualization are deployed, privilege escalation vulnerabilities are becoming more important. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.
Linux udev Netlink Message Privilege Escalation (CVE-2009-1185)
In the midst of all the Linux kernel security debates about exploiting NULL function pointer dereferences, Cheddar Bay, transparency regarding known or potential security issues, Cheddar Bay, and the protection afforded by LSMs running within an insecure kernel, Cheddar Bay, sometimes the very simple yet damaging vulnerabilities don't get nearly the attention they deserve. This is one such vulnerability.
Sebastian Krahmer identified a vulnerability in udevd where it incorrectly assumed that messages arriving on its NETLINK socket would always come from the kernel. Any local unprivileged user may send a unicast or multicast NETLINK message to udevd, which it will treat as a privileged message from the kernel. This would allow a user to (for example) instruct udevd to create a /dev/random device file with chosen minor and major device numbers, giving RWX permissions to any device that the attacker chooses. That's game over, kids.
Pwnie for Best Client-Side Bug
Awarded to the person who discovered the most technically sophisticated and interesting client-side bug. These days, ‘client’ is pretty much synonymous with ‘web browser’, but don't forget about all the media player integer overflows!
msvidctl.dll MPEG2TuneRequest Stack buffer overflow (CVE-2008-0015)
At first glance, this bug may appear to just be yet-another vulnerability in an ActiveX component. Easily exploited vulnerabilities in ActiveX components typically lead to malware outbreaks all over the Interwebs and that's exactly what happened with this one. But ActiveX component bugs are hardly the stuff that Pwnie Awards are made of. As more people begin to research this vulnerability, it became clear that the vulnerability was not in the ActiveX component's code, but instead in the ATL code (IPersistStreamInit::Load) staticly built into it. Oh, snap. It's a kill-bit bloodbath out there.
As this vulnerability had begun to be exploited in the wild prior to its scheduled patch release, it conveniently became eligible for this year's Pwnie Awards. Don't let its CVE number fool you, this wasn't one of last year's bugs. Microsoft was sitting on this vulnerability for somewhere around 16 months.
Pwnie for Mass 0wnage
Awarded to the person who discovered the bug that resulted in the most widespread exploitation or affected the most users. Also known as ‘Pwnie for Breaking the Internet.’
Red Hat Networks Backdoored OpenSSH Packages (CVE-2008-3844)
Shortly after Black Hat and Defcon last year, Red Hat noticed that not only had someone backdoored the OpenSSH packages that some of their mirrors were distributing, but managed to sign the packages with Red Hat's own private key. Instead of revoking the key and releasing all new packages, they instead just updated the backdoored packages with clean copies, still signed by the same key, and released a shell script to scan for the MD5 checksums of the affected packages. What makes this eligible for the "mass0wnage" award is that nobody is quite sure how many systems were compromised or what other keys and packages the attackers were able to access. With very little public information available, the real casuality was the public's trust in the integrity of Red Hat's packages.
Pwnie for Best Research
Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.
This comprehensive and well presented guide to Symbian vulnerability research covers the entire process from analyzing Symbian OS, to reversing, debugging, and fuzzing bugs out of it. And just for good measure, he shook out 14 crashes from the Symbian Media Player. Overall, an excellent documentation of vulnerability discovery on Symbian.
Lamest Vendor Response
Awarded to the vendor who mishandled a security vulnerability most spectacularly.
Continually assuming that all kernel memory corruption bugs are only Denial-of-Service
The Linux kernel development team was nominated several times over for their ongoing lack of handling of bugs of "unknown impact" and generally assuming that all kernel memory corruption issues are only Denial-of-Service issues. Here's a hint: Just because you can only get a DoS from a bug, doesn't mean that skilled hackers can't get a root shell out of it.
Pwnie for Most Overhyped Bug
Awarded to the person who discovered a bug resulting in the most hype on the Internets and in the mainstream media. Bonus points for bugs that turn out to be impossible to exploit in practice. Also known as ‘Pwnie for Pwning the Media.’
MS08-067 Server Service NetpwPathCanonicalize() Stack Overflow (CVE-2008-4250)
Notice the intention cross-nomination of this vulnerability. The worm taking advantage of this vulnerability, Conficker, had been a mainstay in the trade press for at least half of the year. Also known as the InfoSec Press Full Employment Act of 2009.
Pwnie for Best Song
What kind of awards ceremony does not have an award for best song? There is strangely enough a long tradition of hacker-written songs and raps (parodies and originals). And in Pwnies past, we somehow coerced HD and Halvar to rap some of these. And rather then let it become anyone else's turn, we have a new rule. Nominations for 'Best Song' must actually have audio. For your listening pleasure, the winners are:
This is your career on life support (whaaat?)
and we're not white hats tryin to write reports
any box can be popped with the right resource
so your threat model's worthless, NICE REPORT
Pwnie for Most Epic FAIL
Sometimes giving 110% just makes your FAIL that much more epic. And what use would the Internet be if it wasn't there to document this FAIL for all time?
This award is to honor a person or company's spectacularly epic FAIL.
Twitter Gets Hacked and the "Cloud Crisis"
If you live by Web 2.0, you die by Web 2.0. Storing documents in the "cloud" gets you ease of access, it's cheap, it's easy, and as long as you care nothing about security, it's a no brainer. Twitter was rife with XSS and CSRF worms this year, which annoyed many a "securitytwit", but were sideshows to its rapidly growing user-base. But this year Twitter learned the hard way that when your entire security rests in the cloud, it only takes one unused hotmail account and a bored teenager to get your entire business plan, all your employee's personal information, and administrative access to your 55 million dollar web application. According to Twitter's top secret internal documents (now published on Techcrunch) "Are we building a new Internet?!?" Well if they are, it's one that needs more security.
Lifetime Achievement Award
Most hackers have the personality of a supermodel who does discrete mathematics for fun. Like mathematicians, hackers get off on solving very obscure and difficult to even explain problems. Like models, hackers wear a lot of black, think they are more famous than they are, and their career effectively ends at age 30. Either way, upon entering one's fourth decade, it is time to put down the disassembler and consider a relaxing job in management.
This award is to honor the previous achievements of those who have moved on to bigger and better things such as management or owning (in the traditional sense) a coffee shop.
He's credited with inventing return-into-libc, privilege separation for Unix daemons, and I'm just quoting his Wikipedia page. He also first demonstrated heap buffer overflow exploitation. His password cracker, John the Ripper, has awesome embedded into its every fiber, from being the first cracker to use bitslice DES implementations to doing brute forcing based on statistical frequency of characters.