Pwnie Awards 2017

Winners of Pwnie Awards 2011

Pwnie for Best Server-Side Bug

Awarded to the person who discovered or exploited the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.

  • ASP.NET Framework Padding Oracle (CVE-2010-3332)

    Credit: Juliano Rizzo, Thai Duong

    Juliano and Thai showed that the ASP.NET framework is vulnerable to a padding oracle attack that can be used to remotely compromise almost any ASP.NET web application, often leading to remote code execution on the server.

Pwnie for Best Client-Side Bug

Awarded to the person who discovered or exploited the most technically sophisticated and interesting client-side bug. These days, ‘client’ is pretty much synonymous with ‘web browser’, but don't forget about all the media player integer overflows!

  • FreeType vulnerability in iOS (CVE-2011-0226)

    Credit: Comex

    Comex exploited a vulnerability in the interpreter for Type 1 font programs in the FreeType library used by MobileSafari. This exploit is a great example of programming a weird machine to exploit a modern system. Comex used his control over the interpreter to construct a highly sophisticated ROP payload at runtime and bypass the ASLR protection in iOS. Furthermore, the ROP payload exploited a kernel vulnerability to execute code in the kernel and disable code-signing. The exploit was hosted on and was successfully used by thousands of people to jailbreak their iOS devices.

Pwnie for Best Privilege Escalation Bug

Awarded to the person who discovered or exploited the most technically sophisticated and interesting privilege escalation vulnerability. As more defense-in-depth systems like Mandatory Access Control and Virtualization are deployed, privilege escalation vulnerabilities are becoming more important. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.

  • Windows kernel win32k user-mode callback vulnerabilities (MS11-034)

    Credit: Tarjei Mandt

    In the span of a few months, Tarjei found more than 40 vulnerabilities in the Windows kernel. In his presentation at Infiltrate 2011, he described the details of these vulnerabilities and his kernel exploitation techniques.

Pwnie for Most Innovative Research

Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.

  • Securing the Kernel via Static Binary Rewriting and Program Shepherding

    Author: Piotr Bania

    To implement some of the ideas from pax-future.txt is one thing, to implement them through static analysis on Windows, rewriting drivers automagically, and have it all work preserving binary compatibility across a wide range of Windows versions: that's deserving of respect.

Pwnie for Lifetime Achievement

Most hackers have the personality of a supermodel who does discrete mathematics for fun. Like mathematicians, hackers get off on solving very obscure and difficult to even explain problems. Like models, hackers wear a lot of black, think they are more famous than they are, and their career effectively ends at age 30. Either way, upon entering one's fourth decade, it is time to put down the disassembler and consider a relaxing job in management. This award is to honor the previous achievements of those who have moved on to bigger and better things.

  • pipacs/PaX Team

    The person that we are honoring this year with the lifetime achievement award has, surprisingly, contributed a lot to the defensive side of security. The winner has repeatedly innovated behind the scenes, avoided the conference circus and maintained a high level of personal and intellectual integrity.

    His technical work has had an outsize impact on security: His ideas are fundamental to security improvements in all major operating systems in recent years, and his ideas have indirectly shaped most modern memory-corruption attack techniques. No attacker can be taken seriously nowadays that does not deal with defensive inventions pioneered by our winner.

    In an environment where Microsoft awards 200k USD for mitigation ideas that they can then patent and monopolize, he has freely shared his ideas - out of intellectual openness, but also out of a rather endearing mixture of humility and incredulity at the general retardedness of others.

    Aside from all this, his innovations had a major impact when they were first introduced: For quite a while after their introduction, his work made it difficult to hack other hackers, taking away the hackers favourite pasttime -- infighting -- and making sure that innocent third parties were hacked.

    The winner of this years lifetime achievement award is pipacs/PaX Team, for creating PaX, giving birth to ASLR, impacting all modern operating systems, and, last but not least, for patching an mp3 player and a tetris clone into softIce.

Lamest Vendor Response

Awarded to the vendor who mishandled a security vulnerability most spectacularly.

  • RSA SecurID token compromise

    Vendor: RSA

    They got hacked, their SecurID tokens were totally compromised, and they basically passed it off as a non-event and advised customers that replacing the tokens is not necessary ... until Lockheed-Martin got attacked because of them.

Pwnie for Best Song

What kind of awards ceremony does not have an award for best song? There is strangely enough a long tradition of hacker-written songs and raps (parodies and originals). For your listening pleasure, the winner is:

  • The Light It Up Contest

    Author: Geohot

    I shed a tear everytime I think of Lik Sang
    But shit man, they're a corporation
    And I'm a personification of freedom for all
    You fill dockets, like thats a concept foreign to y'all
    While lawyers muddy water and TROs stall
    Out of business is jail for me

Pwnie for Most Epic FAIL

Sometimes giving 110% just makes your FAIL that much more epic. And what use would the Internet be if it wasn't there to document this FAIL for all time?

This award is to honor a person or company's spectacularly epic FAIL. And the winner is:

  • Sony

    After Fail0verflow and GeoHot published how to jailbreak the PS3, Sony got a bit miffed. Apparently unfamiliar with how the Internet works and how difficult it is to remove the piss from a swimming pool, Sony proceeded to try erase the information from the Internet and sue GeoHot et al. into oblivion. Needless to say, this was about as successful as the MiniDisc.

  • Sony

    Speaking of piss in a swimming pool, that just happened to be how well Sony protected their Sony Online Entertainment (SOE) users' account info and roughly 25 to 77 million account details were stolen by unknown hackers. That metaphor makes just about no sense at all, but you get the point: FAIL.

  • Sony

    Sony is definitely good at one thing: keeping the hits coming and their fans entertained. Oh wait, did we say Sony? We meant LulzSec. I guess that counts as another FAIL for Sony.

  • Sony

    After learning the hard way that their PlayStation Network was about as porous as air, Sony had to shut it down for over two months to rebuild it from scratch. In doing so, they made everyone from your 8-year old cousin to your barber learn about the importance of security. Hooray for us, sorry Sony shareholders.

  • Sony

    Noticing a pattern here? But wait, it gets better. Sony might have been able to better repel the multitude of attacks if they hadn't just recently laid off a significant number of their network security team. Great timing, guys.

Pwnie for Epic 0wnage

0wnage, measured in owws, can be delivered in mass quantities to a single organization or distributed across the wider Internet population. The Epic 0wnage award goes to the hackers responsible for delivering the most damaging, widely publicized, or hilarious 0wnage. This award can also be awarded to the researcher responsible for disclosing the vulnerability or exploit that resulted in delivering the most owws across the Internet.

  • Stuxnet

    How many centrifuges did your rootkit destroy? How many national nuclear programs did your worm disrupt? How many 0day exploits and rootkits for equipment that no one you has ever heard of have you written? Exactly.

Nominations opened.
Nominations closed.
The list of nominees is announced.
Awards ceremony at the BlackHat USA conference in Las Vegas.
Awards Ceremony
when Wed, Aug 8th 2018
where BlackHat USA 2018, Lagoon JK (Level 2), Mandalay Bay, Las Vegas