Nominations for Pwnie Awards 2011
Pwnie for Best Server-Side Bug
Awarded to the person who discovered or exploited the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.
ASP.NET Framework Padding Oracle (CVE-2010-3332)
Juliano and Thai showed that the ASP.NET framework is vulnerable to a padding oracle attack that can be used to remotely compromise almost any ASP.NET web application, often leading to remote code execution on the server.
Microsoft FTP server heap overflow (CVE-2010-3972)
Matt Bergin discovered a remote code execution vulnerability in the Microsoft FTP server. The vulnerability is caused due to a boundary error when encoding Telnet IAC characters in a FTP response (specifically the 0xFF character). This can be exploited without authenticating to the FTP service to cause a heap-based buffer overflow by sending an overly long, specially crafted FTP request. This vulnerability was exploited by Chris Valasek and Ryan Smith, who achieved EIP control and theorized that full exploitation is possible.
ISC dhclient metacharacter injection (CVE-2011-0997)
The ISC dhclient did not strip or escape certain shell meta-characters in responses from the DHCP server before passing the responses on to a shell script. Depending on the script used by the OS, this could result in arbitrary code execution on the client. Using this vulnerability, a single rogue DHCP server could exploit the entire local network.
BSD-derived IPComp encapsulation stack overflow (CVE-2011-1547)
Most BSD-derived network stacks contain a vulnerability in the code processing IPComp encapsulation, commonly used alongside IPSec. By recursively trying to de-encapsulate a nested IPComp payload, an attacker can cause a kernel stack overflow (not a buffer overflow). Tavis speculates that it's not that impossible to turn this into a remote code execution exploit.
Exim remote code execution flaw (CVE-2010-4344)
This exploit was first captured in the wild by Sergey Kononenko. It exploited a buffer overflow in the logging functionality of Exim to gain code execution on the server. The exploit was interesting, because instead of hijacking EIP, the attacker overwrites an internal data structure with a shell command that is executed when the server processes the next message.
Pwnie for Best Client-Side Bug
Awarded to the person who discovered or exploited the most technically sophisticated and interesting client-side bug. These days, ‘client’ is pretty much synonymous with ‘web browser’, but don't forget about all the media player integer overflows!
FreeType vulnerability in iOS (CVE-2011-0226)
Comex exploited a vulnerability in the interpreter for Type 1 font programs in the FreeType library used by MobileSafari. This exploit is a great example of programming a weird machine to exploit a modern system. Comex used his control over the interpreter to construct a highly sophisticated ROP payload at runtime and bypass the ASLR protection in iOS. Furthermore, the ROP payload exploited a kernel vulnerability to execute code in the kernel and disable code-signing. The exploit was hosted on jailbreakme.com and was successfully used by thousands of people to jailbreak their iOS devices.
Google Chrome sandbox bypass
VUPEN released a demo of a Google Chrome exploit that bypasses the Chrome sandbox and executes code with full privileges on the local system. The exploit was not made public, but the Google security team guessed that VUPEN exploited a Flash vulnerability because the Flash sandbox in Chrome is significantly weaker than the sandbox of the HTML renderer process. Since Google bundles the Flash plugin with the browser, a Flash exploit can affect every single user of Chrome. Despite the protests of the Google security team that VUPEN wasn't playing fair, VUPEN gets credit for pointing out that the Flash sandbox is the weakest link in Google Chrome.
Java mismatched codebase arbitrary code execution (CVE-2010-4452)
This vulnerability is particularly interesting in that it only uses features of the Java to gain arbitrary code execution capability. It doesn't use any common exploitation technique like buffer overflows, or memory corruption. As it only uses known features of the JRE, it is 100% reliable.
Blackberry Pwn2Own exploit
The three researchers chained two WebKit information leak vulnerabilities and an integer overflow to gain code execution on the BlackBerry. Their accomplishment is even more impressive because of the fact that they had no debugger, no core dumps and no documentation about the BlackBerry internals.
Android web market XSS
Jon Oberheide discovered an XSS vulnerability in the Android web market that allowed him to remotely install arbitrary applications with arbitrary permissions on a victim's phone simply by tricking them into clicking a malicious link.
Pwnie for Best Privilege Escalation Bug
Awarded to the person who discovered or exploited the most technically sophisticated and interesting privilege escalation vulnerability. As more defense-in-depth systems like Mandatory Access Control and Virtualization are deployed, privilege escalation vulnerabilities are becoming more important. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.
Privilege escalation in CSRSS (CVE-2011-1281)
Privilege escalation bug in Windows CSRSS. Very interesting methods for getting an exploit working: handle free-list spraying by creating/freeing hundreds of consoles, getting data into memory of a process that runs as SYSTEM (utilman.exe) by creating lots of windows with overly long titles, and others.
Linux kernel set_fs kernel memory overwrite (CVE-2010-4258)
Nelson Elhage found an interesting interaction between Linux threads created with the CLONE_CHILD_CLEARTID flag and the set_fs function in the kernel, which made fully exploitable bugs that would otherwise only cause a DoS. The public PoC for this vulnerability was later released by Dan Rosenberg.
Linux $ORIGIN privilege escalation (CVE-2010-3847)
Tavis discovered that the glibc dynamic linker allows the $ORIGIN expansion in LD_AUDIT environmental variable when executing setuid binaries. This can be used to elevate privileges to root.
Windows kernel win32k user-mode callback vulnerabilities (MS11-034)
In the span of a few months, Tarjei found more than 40 vulnerabilities in the Windows kernel. In his presentation at Infiltrate 2011, he described the details of these vulnerabilities and his kernel exploitation techniques.
Pwnie for Most Innovative Research
Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.
Jon Oberheide and Dan Rosenberg presented a set of techniques for exploiting Linux kernel vulnerabilities on grsec systems and inadvertantly started an arms race with spender and PaX Team. This work is a great example of research targeting one of the most difficult system to exploit.
Understanding and Exploiting Flash ActionScript Vulnerabilities
This research mainly answered two questions: 1) What are the inner mechanisms that cause Flash JIT-level vulnerabilities? 2) How to exploit them on modern operating systems? The answer to the first question lies in the way JIT engine performs the "verification process" (or the "bytecode verifier") of the program flow, which is not error-proof. Those errors enable potential exploitation situations. To answer the second question, the author introduced a situation deemed "Type/Atom Confusion". Then a novel technique called "IEEE-754 trick" was provided to read memory from the process when type confusion happens. Armed with those, Haifei Li was able to exploit Flash ActionScript JIT-level vulnerabilities on modern operating systems like Windows 7, bypassing both ASLR and DEP.
Black Box Auditing Adobe Shockwave
This presentation provides a very thorough review of the SmartHeap memory allocator in Adobe Shockwave. The talk focused on the methodology for reversing a large code base with no symbols and included many useful reverse engineering techniques.
Securing the Kernel via Static Binary Rewriting and Program Shepherding
To implement some of the ideas from pax-future.txt is one thing, to implement them through static analysis on Windows, rewriting drivers automagically, and have it all work preserving binary compatibility across a wide range of Windows versions: that's deserving of respect.
Understanding the LFH heap
This seminal paper provides the most details overview of the Low Fragmentation Heap in Vista and Windows 7. Its importance to exploitation cannot be overstated!
Lamest Vendor Response
Awarded to the vendor who mishandled a security vulnerability most spectacularly.
Remotely exploitable stack overflow in OpenSSH on Novell NetWare
The ZDI advisory clearly stated that this is a remotely-exploitable stack overflow, but Novel claimed that it was only a denial of service attack and refused to patch it until ZDI dropped the details on their blog. You can't argue with 0x41414141.
Magix Music Maker 16 stack overflow
After a CORELAN member reported a vulnerability in their Music Maker 16 software, the vendor threatened the researcher with legal action if he were to publish a PoC exploit for it. The advisory was eventually published without the exploit.
RSA SecurID token compromise
They got hacked, their SecurID tokens were totally compromised, and they basically passed it off as a non-event and advised customers that replacing the tokens is not necessary ... until Lockheed-Martin got attacked because of them.
Pwnie for Best Song
What kind of awards ceremony does not have an award for best song? There is strangely enough a long tradition of hacker-written songs and raps (parodies and originals). And in Pwnies past, we somehow coerced HD and Halvar to rap some of these. And rather then let it become anyone else's turn, we have a new rule. Nominations for 'Best Song' must actually have audio. For your listening pleasure, the nominees are:
A look into the everyday life of a bug hunter:
Opening track of the last PH-Neutral conference 0x7db, released May 27 2011. A cover of the 90s techno track "Hyper Hyper" by Scooter, it's a homage to the hacker scene. Note: the people mentioned were chosen partially based on phonetic similarities with the DJs mentioned in the original. The track is hand made from the ground up, no material copied.
An infosec parody of a song by young Ms. Black
Today i-is 0-day, 0-day
Tomorrow is 1-day
Defenses come after-wards
I don't want this 0-day to end
The Light It Up Contest
I shed a tear everytime I think of Lik Sang
But shit man, they're a corporation
And I'm a personification of freedom for all
You fill dockets, like thats a concept foreign to y'all
While lawyers muddy water and TROs stall
Out of business is jail for me
Mastering Success And Failure
This song is about what most security professional lived. Curiosity at a young age, followed by repression, followed by passion for a living. And then, it becomes a carreer.
Help Yourself To My Flaws
Inspired by Tom jones' "Help Yourself To My Lips", Stephano Di Paola describes the current state of web application security.
This rap was written by the Disaster Protocol Podcast guys, the ones who did the LIGATT interview. They wrote a song taking the piss out of the allegations against Evans and included Chris John Riley whom he was threatening.
This is an Italian song recorded at the end of 2010. It's a nostalgic song that remembers the old times of hacking scene, with all references on all groups and events. It's recorded in Italian, but the YouTube video has English subtitles:
My Digital Self
A happy song about social media being a sucking whore on the souls of sheeple. From the forthcoming album by Cryptonomicon, "The Devil's Dance" being released August 1st.
Pwnie for Most Epic FAIL
Sometimes giving 110% just makes your FAIL that much more epic. And what use would the Internet be if it wasn't there to document this FAIL for all time?
This award is to honor a person or company's spectacularly epic FAIL. And the nominees are:
After Fail0verflow and GeoHot published how to jailbreak the PS3, Sony got a bit miffed. Apparently unfamiliar with how the Internet works and how difficult it is to remove the piss from a swimming pool, Sony proceeded to try erase the information from the Internet and sue GeoHot et al. into oblivion. Needless to say, this was about as successful as the MiniDisc.
Speaking of piss in a swimming pool, that just happened to be how well Sony protected their Sony Online Entertainment (SOE) users' account info and roughly 25 to 77 million account details were stolen by unknown hackers. That metaphor makes just about no sense at all, but you get the point: FAIL.
After learning the hard way that their PlayStation Network was about as porous as air, Sony had to shut it down for over two months to rebuild it from scratch. In doing so, they made everyone from your 8-year old cousin to your barber learn about the importance of security. Hooray for us, sorry Sony shareholders.
Noticing a pattern here? But wait, it gets better. Sony might have been able to better repel the multitude of attacks if they hadn't just recently laid off a significant number of their network security team. Great timing, guys.
Pwnie for Epic 0wnage
0wnage, measured in owws, can be delivered in mass quantities to a single organization or distributed across the wider Internet population. The Epic 0wnage award goes to the hackers responsible for delivering the most damaging, widely publicized, or hilarious 0wnage. This award can also be awarded to the researcher responsible for disclosing the vulnerability or exploit that resulted in delivering the most owws across the Internet.
Anonymous for hacking HBGary Federal
If you have a externally-facing crappy custom CMS where you use the same password as your Google Apps administrator account, you probably don't want to go picking fights with any one hacker, let alone an angry swarm of them. As it turns out, HBGary Federal did just that, and Anonymous delivered exactly 1.21 giga-owws to them.
LulzSec for hacking everyone
LulzSec provided many Lulz for all the hackers and security professionals around the world. They have attacked Fox News, PBS, Nintendo, pron.com, the NHS, Infraguard, the US senate, Bethesda, Minecraft, League of Legends, The Escapist magazine, EVE online, the CIA, The Times, The Sun; all the while generating a media fiasco and evading law enforcement.
Bradley Manning and Wikileaks
Bradley Manning (allegedly) and Wikileaks were instrumental in an international incident of massive proportions, embarassing governments around the world. And all this was caused by a Lady Gaga CD.
How many centrifuges did your rootkit destroy? How many national nuclear programs did your worm disrupt? How many 0day exploits and rootkits for equipment that no one you has ever heard of have you written? Exactly.