Pwnie Awards 2017

Winners of Pwnie Awards 2012

Pwnie for Best Client-Side Bug

Awarded to the person who discovered or exploited the most technically sophisticated and interesting client-side bug. These days, ‘client’ is pretty much synonymous with ‘web browser’, but don't forget about all the media player integer overflows!

  • Pinkie Pie's Pwnium Exploit

    Credit: Pinkie Pie

    The Pwnie Award judges were the original bronies. In a blatant attempt at currying their favor, Pinkie Pie chose a handle near and dear to their hearts. How did he know that Pinkie Pie was our favorite? Just slightly less impressive than this feat of clairvoyance was Pinkie Pie's exploit chain of six bugs that got him full remote code execution in Chrome to win Google's Pwnium competition at CanSecWest.

  • Sergey Glazunov's Pwnium Exploit

    Credit: Sergey Glazunov

    Not to be outdone by Pinkie Pie, Sergey's Pwnium exploit took advantage of at least 14 bugs (The Chrome security team apparently lost count after that -- numbers are hard). In another show of one-upmanship, he chose a handle of an extremely obscure My Little Pony.

Pwnie for Best Server-Side Bug

Awarded to the person who discovered or exploited the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.

  • "Are we there yet?" MySQL Authentication Bypass (CVE-2012-2122)

    Credit: Sergei Golubchik

    On vulnerable versions of MySQL simply asking to authenticate repeatedly enough times is enough to bypass authentication: "Can I log in as root now?"
    "How about now?"

    For actual details, check out Pwnie Judge extraordinaire HD Moore's blog post.

Pwnie for Best Privilege Escalation Bug

Awarded to the person who discovered or exploited the most technically sophisticated and interesting privilege escalation vulnerability. As more defense-in-depth systems like Mandatory Access Control and Virtualization are deployed, privilege escalation vulnerabilities are becoming more important. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.

  • MS11-098: Windows Kernel Exception Handler Vulnerability (CVE-2011-2018)

    Credit: Mateusz "j00ru" Jurczyk

    j00ru owned Windows. All of them. Ok, well just all of the 32-bit versions of Windows from NT through the Windows 8 Developer Preview. What have you done lately? And to top it off, he wrote a clear paper on it with some of the nicest boxy diagrams we have ever seen in a LaTeX paper.

Pwnie for Most Innovative Research

Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.

Pwnie for Best Song

What kind of awards ceremony does not have an award for best song? There is strangely enough a long tradition of hacker-written songs and raps (parodies and originals). And in Pwnies past, we somehow coerced HD and Halvar to rap some of these. And rather then let it become anyone else's turn, we have a new rule. Nominations for 'Best Song' must actually have audio. For your listening pleasure, the nominees are:

  • Control

    Dual Core

    Written for the Social Engineering Podcast, this song satisfies your corporate social engineering training requirement and you get CISSP points just by listening to it. Just tell your boss that we said so.

Pwnie for Most Epic FAIL

Sometimes giving 110% just makes your FAIL that much more epic. And what use would the Internet be if it wasn't there to document this FAIL for all time?

This award is to honor a person or company's spectacularly epic FAIL. And the nominees are:

  • F5 Static Root SSH Key

    F5 Networks

    Including a SSH authentication public key for root on all F5 devices is nice, putting the private key for it in the firmware where it can be found and then used against any other F5 device is even better. For FAIL, press F5.

Pwnie for Epic 0wnage

0wnage, measured in owws, can be delivered in mass quantities to a single organization or distributed across the wider Internet population. The Epic 0wnage award goes to the hackers responsible for delivering the most damaging, widely publicized, or hilarious 0wnage. This award can also be awarded to the researcher responsible for disclosing the vulnerability or exploit that resulted in delivering the most owws across the Internet.

  • "Flame" Windows Update MD5 Collision Attack

    Flame Authors

    Any attack that requires a breakthrough in cryptography to pull off is pretty cool in our book. And being able to pwn any Windows machine through Windows Update is pretty mass 0wnage.

Nominations opened.
Nominations closed.
The list of nominees is announced.
Awards ceremony at the BlackHat USA conference in Las Vegas.
Awards Ceremony
when Wed, Aug 8th 2018
where BlackHat USA 2018, Lagoon JK (Level 2), Mandalay Bay, Las Vegas