Nominations for Pwnie Awards 2012
Pwnie for Best Client-Side Bug
Awarded to the person who discovered or exploited the most technically sophisticated and interesting client-side bug. These days, ‘client’ is pretty much synonymous with ‘web browser’, but don't forget about all the media player integer overflows!
Pinkie Pie's Pwnium Exploit
The Pwnie Award judges were the original bronies. In a blatant attempt at currying their favor, Pinkie Pie chose a handle near and dear to their hearts. How did he know that Pinkie Pie was our favorite? Just slightly less impressive than this feat of clairvoyance was Pinkie Pie's exploit chain of six bugs that got him full remote code execution in Chrome to win Google's Pwnium competition at CanSecWest.
Sergey Glazunov's Pwnium Exploit
Not to be outdone by Pinkie Pie, Sergey's Pwnium exploit took advantage of at least 14 bugs (The Chrome security team apparently lost count after that -- numbers are hard). In another show of one-upmanship, he chose a handle of an extremely obscure My Little Pony.
MS11-087: Unspecified win32k.sys TrueType font parsing engine vulnerability (CVE 2011-3402)
As seen in "Stuxnet 2: Electric Duquloo", this 100% reliable kernel-mode remote code execution exploit could rootkit any version of Windows ever from a font file embedded in a web page or various other file formats. What else could you possibly want from a client-side vulnerability? A cookie?
Flash BitmapData.histogram() Info Leak (CVE 2012-0769)
Fermin demonstrated and documented in exquisite detail how to turn a lossy out-of-bounds memory read vulnerability into full chosen-address memory disclosure. He showed how proper heap manipulation and creativity can build a limited exploitation primitive into a much more powerful one. Oh right, we are supposed to make jokes about these. Too bad nothing actually runs Flash.
iOS Code Signing Bypass (CVE 2011-3442)
Hackers are always looking for interesting ways around "the system", whichever one that may be. In this case, Charlie Miller hatched this get-rich-quick idea:
- Write a stock quote app for iOS and put it on the AppStore
- Discover a code signing bypass that allows third-party apps to dynamically download and execute code and use this in his rogue app
- Entice himself to download the app
- Download and inject code into the app to s py on the list of stocks that he was using the app to get quotes for
- Make lucrative trades based on this valuable information
Unfortunately, before Charlie could profit sufficiently from this information, he talked to the press about his ingenius plot. Apple subsequently pulled his app from the AppStore and from his own iPhone hat had installed it (the only user of the app) as well as banned Charlie from the iOS Developer Program for one year. By doing this, Apple kept Charlie safe from himself for the entire next year.
Pwnie for Best Server-Side Bug
Awarded to the person who discovered or exploited the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.
TNS Poison Attack (CVE-2012-1675)
Oracle TNS Listener vulnerabilities bring a tear to our eye. Joxean's attack is basically the forbidden love child between DNS poisoning and those classic TNS Listener vulnerabilities, allowing you to MITM connections to the database from across the Internet.
ProFTPD Response Pool Use-after-Free (CVE-2011-4130)
Wait, use-after-free bugs exist outside of web browsers? Shame on them for trying to monopolize that bug class. Anyway, this post-auth use-after-free gets you remote code execution on ProFTPD. And that's what dreams are made of. Well, that and puppy tears. Ours are, anyway.
"Are we there yet?" MySQL Authentication Bypass (CVE-2012-2122)
On vulnerable versions of MySQL simply asking to authenticate repeatedly enough times is enough to bypass authentication: "Can I log in as root now?"
"How about now?"
For actual details, check out Pwnie Judge extraordinaire HD Moore's blog post.
WordPress Timthumb Plugin 'timthumb' Cache Directory Arbitrary File Upload Vulnerability (CVE-2011-4106)
Here's a tip from some old hands at this game: if the software is named after the author's first name, it is likely INSECURE AS ALL HELL. This design error is case and point. Download files from attacker-specified URLs into a cache directory inside the webroot? Sounds like a great idea to me.
Pwnie for Best Privilege Escalation Bug
Awarded to the person who discovered or exploited the most technically sophisticated and interesting privilege escalation vulnerability. As more defense-in-depth systems like Mandatory Access Control and Virtualization are deployed, privilege escalation vulnerabilities are becoming more important. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.
Xen Intel x64 SYSRET Privilege Escalation (CVE-2012-0217)
It looks like Intel's x64 SYSRET instruction operates differently enough from AMD's x86_64 standard (some people call this "wrong") that an OS written to the AMD standard running on Intel processors includes a bonus privilege escalation feature. Namely, you can get the kernel (or hypervisor) to handle a SYSRET with a user-specified RSP. What could possibly go wrong?
Wait, everyone else is vulnerable too?. Bonus in your attackers' favor.
iOS HFS Catalog File Integer Underflow (CVE-2012-0642)
This exploit was used for the Absinthe iOS 5.0/5.0.1 untether. It massaged the kernel heap into submission, copying over the syscall table and giving pod2g (as well as jailbreak users everywhere) a happy ending. And who doesn't love happy endings?
MS11-098: Windows Kernel Exception Handler Vulnerability (CVE-2011-2018)
j00ru owned Windows. All of them. Ok, well just all of the 32-bit versions of Windows from NT through the Windows 8 Developer Preview. What have you done lately? And to top it off, he wrote a clear paper on it with some of the nicest boxy diagrams we have ever seen in a LaTeX paper.
VMware High-Bandwidth Backdoor ROM Overwrite Privilege Elevation (CVE-2012-1515)
I'll admit it. The unspecified Pwnie Award judge writing this description never understands any of Derek's bugs and it's getting late and he wants to go to sleep. But Derek's bugs always look big pimpin' and he wishes that he did understand them.
Pwnie for Most Innovative Research
Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.
Yo dawg, Travis heard you like packets, so he put packets in packets so that he could inject packets into your internal network from all the way across the Internet. Doesn't sound very neighborly to us, but it's still way cool.
What did the Windows kernel ever do to Tarjei to deserve the merciless beating he has subjected it to over the last several years? Has he not subjected it to enough pain? Apparently not yet.
Incomplete Code Signing attacks are not only useful for iOS jailbreaks, they can also be used to add a few more features to signed PE executables (i.e. software installers, updates, etc) without invalidating the Authenticode signatures. But why would anyone want to do that?
What you say is more important than how you say it. It turns out that this is true in machine code as well. Rolf's keynote presentation at REcon described how to take approaches from academic program analysis and apply them to real-world reverse engineering challenges.
Many hackers have been complaining about the extinction of unmitigated vanilla stack buffer overflows. It turns out that they are not extinct at all, they have all just migrated to YOUR CAR. Stephen Checkoway and the rest of his team identified and exploited these vulnerabilities through a burned CD, paired BlueTooth device, unpaired BlueTooth device, and through a phone call to the car's internal GSM cell phone. Yes, they can call up your car and install malware on it, which they actually implemented (how non-Academic of them). The future is a very scary place. Luckily, the majority of the Pwnie Award judges don't drive. Or use computers. Or phones.
Pwnie for Lamest Vendor Response
Pwnie for Best Song
What kind of awards ceremony does not have an award for best song? There is strangely enough a long tradition of hacker-written songs and raps (parodies and originals). And in Pwnies past, we somehow coerced HD and Halvar to rap some of these. And rather then let it become anyone else's turn, we have a new rule. Nominations for 'Best Song' must actually have audio. For your listening pleasure, the nominees are:
Giving shoutouts to almost all of the Pwnie Award judges definitely helps win a Pwnie nomination (for the record, offerings of 0day work better). Only time will tell if this song is a "certified Pwnie Award winner".
Who would have thought that C++ method names from MSHTML.DLL could make such a catchy chorus? We never would have.
The UW CSE Band has the unique distinction of being the first Best Song nominee that is sung (not rapped) by someone who can actually sing on key. This song, a cover of The Cranberries' "Zombie", gives us flashbacks to the mid-90's when server-side remotes and raver pants were plentiful.
The LinkedIn breach, explained in rap form.
Written for the Social Engineering Podcast, this song satisfies your corporate social engineering training requirement and you get CISSP points just by listening to it. Just tell your boss that we said so.
Pwnie for Most Epic FAIL
Sometimes giving 110% just makes your FAIL that much more epic. And what use would the Internet be if it wasn't there to document this FAIL for all time?
This award is to honor a person or company's spectacularly epic FAIL. And the nominees are:
The Anti-Virus Industry
Do you really need us to elaborate?
Even botmasters have trouble adhering to sound information security practices like choosing strong passwords, auditing their PHP code for vulnerabilities, and limiting the amount of their personal information that is available online. The malware.lu crew took advantage of fails in all of these to track down and dox the botmaster behind the Herpes botnet. If you find that one of your machines is infected with Herpes, ask your doctor what malware.lu can do for you.
What has 2500 employees, over 90 million users, no CSO, and hates salt? This company.
Including a SSH authentication public key for root on all F5 devices is nice, putting the private key for it in the firmware where it can be found and then used against any other F5 device is even better. For FAIL, press F5.
Pwnie for Epic 0wnage
0wnage, measured in owws, can be delivered in mass quantities to a single organization or distributed across the wider Internet population. The Epic 0wnage award goes to the hackers responsible for delivering the most damaging, widely publicized, or hilarious 0wnage. This award can also be awarded to the researcher responsible for disclosing the vulnerability or exploit that resulted in delivering the most owws across the Internet.
"Flame" Windows Update MD5 Collision Attack
Any attack that requires a breakthrough in cryptography to pull off is pretty cool in our book. And being able to pwn any Windows machine through Windows Update is pretty mass 0wnage.
It turns out that Certificate Authorities themselves are one massive security vulnerability. How many more CAs need to get popped before we as an industry realize that allowing Bob's Bait, Tackle, and Certificates to issue wildcard certificates is a bad idea?
We love the jailbreakers and you should too. They publicly drop all of their exploits as 0day, convince millions of users to disable the security features on their own devices, and then keep those devices vulnerable to the released exploits until new exploits can be developed and released in the patched versions of iOS.