Pwnie Awards 2017

Nominations for Pwnie Awards 2016

Pwnie for Best Server-Side Bug

Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.

  • Cisco ASA IKEv1/IKEv2 Fragmentation Heap Buffer Overflow (CVE-2016-1287)

    Credit: David Barksdale, Jordan Gruskovnjak, and Alex Wheeler

    Cisco's ASA (Ancient Security Architecture) firewalls had a vulnerability in their IKE fragment re-assembly that permitted remote unauthenticated heap memory corruption. Thanks to a lack of non-executable memory and ASLR protections, these Exodus researchers were able to turn this vulnerability into an epic win just as if they were exploiting a late 90's Linux box. It just turns out that this late 90's Linux box happens to be your firewall/NIDS/VPN/IRC Bouncer. Yay.

  • ImageTragick (CVE-2016–3714)

    Credit: Stewie and Nikolay Ermishkin

    ImageTragick describes a happy family of shell command injection vulnerabilities in the popular ImageMagick library. ImageMagick is commonly used by websites to convert or resize users' pretentious avatar pics. Instead of uploading a picture of themselves doing something excitingly adventurous or saving the world, an attacker can upload a specially crafted SVG (Shells Via Graphics) or MVG (Missing Validation Graphics) file format images that execute chosen shell commands on the remote server.

  • Stagefright via MMS (CVE-2015-1538)

    Credit: jduck

    One billion vulnerable devices that can be targeted and remotely exploited over MMS *without user assistance* is enough to make a hacker cry out of joy. Watching Google release a new version of the Hangouts app that is automatically updated on those billions of devices within days is enough to make that same hacker cry. Google Play is why we can't have nice shells things.

  • glibc getaddrinfo stack-based buffer overflow (CVE-2015-7547)

    Credit: Fermin J. Serna

    We have it on good authority that this vulnerability is in fact exploitable against Linux-based servers. Notably, yours. I guess that explains why you've been seeing the spike in segfaults on your webservers since then.

  • Apache Commons Collections Java Object Deserialization RCE in WebLogic and Everything Else In the World (CVE-2015-4852)

    Credit: Matthias Kaiser, Stephen Breen with honorable mention to Chris Frohoff and Gabriel Lawrence

    During the same week that you were scrambling to patch the branded vulnerability of the week, this was the vulnerability that you were actually getting owned with. The Apache Commons Collections Framework provides implementations of all of the basic data structures that any Computer Science graduate should be able to write themselves in under an hour. Not surprisingly, a ton of projects use this library instead of going through the pain and undergrad flashbacks of doing that. The one feature that they didn't teach you in college (most liekly) is how to deserialize Java objects into remote attacker shells. Luckily, the magical world of Open Source has you covered there.

    Chris Frohoff and Gabriel Lawrence developed the original techniques to exploit Java object deserialization vulnerabilities, including vulnerable applications that used passed untrusted serialized objects to the Apache Commons Collections Framework and presented their research at AppSecCali 2015. Both Matthias Kaiser and Stephen Breen identified and reported vulnerabilities where commonly used software such as Oracle WebLogic unsafely deserializing untrusted serialized objects using the Apache Commons Collections Framework.

  • Samsung Galaxy Edge Baseband Stack Overflow (CVE-2015-8546)

    Credit: Daniel Komaromy and Nico Golde

    Basebands are basically just the crappy embedded system embedded within the crappy embedded system that you call your phone. Daniel and Nico found an exploitable stack buffer overflow in Samsung's "Shannon" baseband and exploited it from their OpenBTS rogue base station to gain code exec and redirect the victim's phone calls. In short, THEY RAINED THE HACKS DOWN FROM THE SKY!

Pwnie for Best Client-Side Bug

Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting client-side bug.

  • MS16-006 Silverlight BinaryReader Out-Of-Bounds Write RCE (CVE-2016-0034)

    Credit: Unknown

    It's been a rough couple of years for Hacking Team. If getting pwned, doxxed, and a bunch of their exploits burned wasn't enough, Kaspersky kept it going by trying to hunt down whatever exploits they may still have. Kaspersky wrote some special detections based on unique strings from Silverlight exploits that Vitaliy Toropov had previously submitted to the Packet Storm Bug Bounty program and waited for them to alert. On November 25th 2015, they detected an alert from one of their special detections and discovered that it was indeed a new zero-day exploit. And what a nice exploit that it was too! The bug is analyzed in Kaspersky's blog post and is well worth a read.

  • glibc getaddrinfo stack-based buffer overflow (CVE-2015-7547)

    Credit: Fermin J. Serna

    This vulnerability was discovered when SSH kept segfaulting when a Google engineer tried to connect to a particular host. Rather than being a bug in SSH, it turned out that Google has ridiculously long internal hostnames that cause stack buffer overflows in glibc's DNS resolution code. They also have some ridiculously talented security engineers who were able to bypass modern Linux security mitigations like ASLR and exploit this bug.

  • MS15-131 Microsoft Office RCE Vulnerability (BadWinmail) (CVE-2015-6172)

    Credit: Haifei Li

    You know those annoying 'winmail.dat' attachments that you get from your poor friends and colleagues still stuck using Outlook? Haifei Li discovered that you can drop OLE objects in them and Outlook will happily load and run them. Haifei demonstrated this as a vector to exploit Adobe Flash vulnerabilities when your target simply previews or reads the e-mail. Microsoft's description, however, makes it seem like you can just skip the Flash 0day and get your RCE immediately. That'd make it Super-Duper-BadWinmail.

  • MS15-078 OpenType Font Driver Vulnerability (CVE-2015-2426)

    Credit: Mateusz 'j00ru' Jurczyk

    A well-known regular in this category, Mateusz 'j00ru' Jurczyk, has dedicated his life to eradicating every last font bug in Windows and Adobe's software. Over the last year, he tasked Google's SkyNet with fuzzing Windows' font handling for an entire year. In doing so, they found and reported bug collisions with vulnerabilities used by Hacking Team and Keen Team to win Pwn2Own 2015. This just goes to show that if you are hoarding fuzzable 0day in a attack surface that Google decides to fuzz, your 0day is a dead bug walking. They have more CPU cores than you ever will and they aren't afraid to use them. If you're holding onto a Windows font bug that their fuzzing didn't find and kill, we recommend making your way to the nearest casino.

  • Stagefright via Web Browser (CVE-2015-1538)

    Credit: jduck

    Stagefright, no stranger to the Pwnies this year, was also a client-side vulnerability exploitable through multiple web browsers on Android. NorthBit released their ASLR bypassing exploit for a Stagefright vulnerability targeting the Nexus 5 running Android 5.0.1. They left it as an exercise to the reader to port their exploit to all of the other umpteen billion Android devices and firmware combinations that people actually use.

Pwnie for Best Privilege Escalation Bug

Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting privilege escalation vulnerability. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.

  • SETFKEY FreeBSD Kernel Vulnerability (CVE-2016-1886)

    Credit: CTurt

    1999 was a good year for bugs and hacking. Many of us even wish that it were still 1999. 1999 have come and gone, but at least some of its bugs are still with us. CTurt found a nice '99 vintage in the FreeBSD kernel AT keyboard driver, which could be used to get root on every version of FreeBSD since then and even fun things like the PlayStation 4 that uses it. Who would have thought in 1999 that, almost 20 years later, the largest deployment of FreeBSD would be a video game console?

  • Widevine QSEE TrustZone Privilege Escalation (CVE-2015-6639)

    Credit: laginimaineb

    The best part about platforms building new layers of privilege with Trusted Execution Environments is that they all present new opportunities for wicked cool privilege escalation vulnerabilities. While Intel is down to somewhere around Ring -37, ARM-based platforms are catching up quickly. A mysterious porcupine slash hacker slash blogger has spent the last year documenting a privilege escalation chain from zero privileges to full dumping of FDE keys outta TrustZone. The exploitation of this vulnerability in the Widevine DRM-protected video trustlet was a work of art and it deserves a video of a round of applause displayed through a hardware-protected video path that fully protects the rights of the content owner end-to-end.

  • AMD Piledriver Microcode VM Ring 3 to Host Ring 0

    Credit: Robert Swiecki

    This bug is just too much of a magical unicorn to be sullied by something as basic as a CVE. A subsequent software update to affected CPUs fixed the vulnerability. Just read that sentence again and realize what a weird world we live in now. I can't wait until we have OTA updates for microcode in chips that we didn't even know existed.

  • Linux iovec overrun memory corruption (CVE-2015-1805)

    Credit: RedHat, Solar Designer, Keen Security Lab of Tencent, @dosomder

    This isn't something that you see often. Solar Designer wrote:

    Red Hat's description includes the usual wording: "A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system." I'd like to know how. "Crash the system" will do. Thanks.
    ... and then @idl3r, @returnsme, and @nwmonster) from the Keen Security Lab of Tencent showed him how. This spurred Google into releasing their first ever out-of-band patch to address the vulnerability. Then @dosomder finished the job with a complete rooting tool based on it. In what shouldn't have been a surprise to anyone, Android malware started abusing this exploit in the wild. They just grow up so quickly these days...

  • Apple Mac OS X WindowServer Use-After-Free (CVE-2016-1804)

    Credit: Keen Security Lab of Tencent

    From the advisory:

    This vulnerability allows local attackers to execute arbitrary code on vulnerable installations of Apple OS X. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of CFData objects within the WindowServer process. An attacker can cause a CFData object in memory to be reused after it has been freed. An attacker can leverage this vulnerability to execute arbitrary code under the context of the WindowServer.

Pwnie for Best Cryptographic Attack (new for 2016!)

Awarded to the researchers who discovered the most impactful cryptographic attack against real-world systems, protocols, or algorithms. This isn't some academic conference where we care about theoretical minutiae in obscure algorithms, this category requires actual pwnage.

Descriptions of this category's nominees provided by Thomas Ptacek.

  • Dancing on the Lip of the Volcano: Chosen Ciphertext Attacks on Apple iMessage

    Credit: Christina Garman, Matthew Green, Gabriel Kaptchuk, Ian Miers, Michael Rushana

    Your intuition is that this is a contender just for impact. They have a decryption attack against one of the most widely-used secure messaging protocols in the world. Done and done, on to the next one. Right?

    Not so fast. iMessage is the least interesting thing about this attack. Here, let me spoil it for you: iMessage doesn't properly authenticate ciphertexts. You can flip bits in encrypted iMessage messages and get responses to them. You don't need to know much crypto to know why that's a problem.

    But here's the catch: iMessage messages are DEFLATE compressed.

    The exploit for this flaw could best be described as "acrobatic". You've got to flip bits until you find a message that Huffman-decodes properly. But that's not good enough: a random valid Huffman symbol will break the DEFLATE CRC, so you've got to XOR-compensate the CRC. And a known-valid symbol is only useful if you've got the DEFLATE Huffman table. Spoiler: you don't. You have to infer it based on an HTTP side channel Apple managed to leave in iMessage.

    This attack is hard to pull off and Apple fixed it already anyways. So what's the big deal? Only that this attack will be a template for how to exploit other broken cryptosystems in the future. Also: a great read.

  • Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS

    Credit: Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic

    It's one thing to know that when you're encrypting with constructions that need a random nonce, you can't ever re-use a nonce. Everyone knows that, right? Everyone, that is, except all the people who implement TLS stacks.

    It's another thing to know how to exploit crypto constructions with repeated nonces.

    Sometimes it's easy. Repeat a nonce for AES-CTR in AES-CTR-HMAC and you can decrypt messages as straightforwardly as you can decrypt toy XOR encryption.

    Other times it's not so easy. Accidentally repeat 8 bits of an 256-bit ECDSA nonce, for instance by leaving its 32nd byte zero in an off-by-one bug, and you've got a vulnerability that requires both lattice reductions and Fourier transforms to solve. Which is a good thing, if you find that sort of thing "fun".

    Attacks on GCM are on the "fun" end of the spectrum. Binary polynomial fun. Linear algebra fun. Factoring fun. There's something in here for everyone to love. Except the people who write TLS stacks.

    Real world impact? They did the TLS equivalent of popping CALC.EXE: they exploited GCM, the current state of the art in authenticated encryption, to inject XSS attacks into bank websites. Even though Antoine Joux, one of the world's most famous cryptographers, forbade them from doing that. Take that, cryptographers! This attack is Forbidden! And they did it anyways!

  • BlueCoat's Intermediate CA Certificate

    Credit: BlueCoat and Symantec

    Symantec signed a CA=YES certificate for BlueCoat. Yes, that BlueCoat. Then they bought BlueCoat, creating a singularity of Internet trust drama.

    You vote for this one if you're like, fuck crypto, this whole thing is fucked, nothing matters, burn the Pwnies down. I won't blame you.

  • Got HW crypto? On the (in)security of a Self-Encrypting Drives series

    Credit: Gunnar Alendal and Christian Kison and modg

    You didn't actually think self-encrypting hard drives worked, did you? You think the world's great cryptographers go work for hard disk companies working on checkbox features? Obviously, they don't. Obviously, these things don't work.

    But don't let that keep you from reading a pretty excellent paper on reversing hardware and exploiting comical encryption failures.

    See something that looks like an AES key?

    It was probably spooled directly off an LFSR.

    Unless it wasn't. If it wasn't, it was probably encrypted by another AES key hardcoded into the firmware of the device, free from the prying eyes of anyone other than someone who can handle file formats.

    It's not encrypted with a hardcoded key? You can't work it out by breaking an LFSR? Oh, don't worry: that just means it's the value of GetTickCount repeated 4 times.

    It gets worse, but you should read the paper to see how.

  • OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701)

    Credit: Antonio Sanso

    What *doesn't* go wrong with OpenSSL? When the trickster gods of software security see too much time elapse since the last exploitable memory corruption vulnerability in OpenSSL, they summon demons from the underworld to add support for new TLS options just so new memory corruption flaws can be introduced. ia! ia! OpenSSL! Leave no padding un-oracled! No Bleichen un-bachered! No buffer underflown, no carry un-un-propagated!

    Even when OpenSSL gets things right, it gets things wrong, as Antonio Sanso discovered.

    You and me, we look at RFC 5114 and we say to ourselves, "why are we reading RFC 5114?" and we go back to perfecting our Lucio wall-riding on Numbani in Overwatch.

    Sanso looks at RFC 5114 and he thinks to himself, "why are these DH generator values so complicated compared to normal DH generator values?" And the answer, it turns out, is that they're stupid and broken!

    Now, you hear "why is this DH generator value so complicated?" and you think to yourself "I'm not sure whether my life would get any better at all if I knew what a DH generator value OH FUCK fucking Junkrat just did that stupid fucking tire thing on me now what were we talking about again?"

    But it turns out your life does get a little better if you know how DH parameters work and you read RFC 5114 and you take the time to implement one of the all-time classic crypto attacks and people in the world actually use OpenSSL.

    Because what you can do with the broken standard DH group is, you can make lots of TLS connections to an OpenSSL server and each time, feed it a bogus DH public key, one the generator couldn't have generated, one that can only generate a small subset of all possible session keys. So small a subset, you can brute force it. And you can do that over and over again, and take all those broken session keys, and feed them to the Chinese Remainder Theorem, and GOD DAMMIT FUCKING REAPER --- sorry, I mean you can remotely recover the OpenSSL server's private DH key.

    But only if OpenSSL's DH is in its default configuration. The trickster gods didn't want to make it too easy.

  • SSLv2 Crypto attack (CVE-2016-0800)

    Credit: Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J. Alex Halderman, Viktor Dukhovni, Emilia Käsper, Shaanan Cohney, Susanne Engels, Christof Paar, and Yuval Shavitt

    DROWN is the Mark Dowd Flash Exploit of crypto attacks. It is one of the all-time great papers not just in crypto exploitation, but in exploitation period.

    Start here: almost everyone working in software security knows that if you encrypt a message and then don't authenticate the resulting ciphertext, you've got problems. If you encrypt with a block cipher in CBC mode, which is how everyone encrypted until like 5 minutes ago, you have a problem with a name: a padding oracle.

    Among all the viable crypto attacks you can pull off with a laptop to get a game-over serverside flaw with, there are two that you can count on a strong pentester to actually know about: hash length extension and the CBC padding oracle.

    What a lot of strong pentesters don't know is that the padding oracle attack that breaks AES in CBC mode also breaks RSA. The attack is trickier, but not that much trickier, and when you pull it off you join a secret society of people who get to make dumb jokes based on the name "Bleichenbacher". We have a Slack!

    So, DROWN exploits the Bleichenbacher RSA padding oracle against TLS. Easy peasy, lemon squeezy, right?

    Wrong. There is neither pease nor squeeze to be found anywhere in DROWN.

    To start with: the Bleichenbacher oracle doesn't work against SSL 3.0 or TLS. And SSL 3.0 or TLS is what everyone uses. But DROWN still works. Why?

    Because people still have SSL 2.0 servers stood up on the Internet. They don't use them. They're not even aware that they're there. But they are, and because people are lazy, they have the same certificates and keys installed as the TLS servers do. DROWN takes advantage of that: it's a cross-protocol attack.

    In the DROWN attack, attackers start a handshake with a TLS server, and then quickly shuttle the victim's TLS messages to an SSL 2 server. SSL 2 is vulnerability to RSA oracles, and can be used as a cross-protocol oracle.

    But wait: there's more. SSL 2.0 is not the same protocol as TLS. It can't do anything with TLS ciphertexts. But there's an extension to the RSA padding oracle attack that takes advantage of RSA malleability. The same malleability that allows attackers to do the number-theoretic equivalent of flipping bits in a CBC ciphertext also allows attackers to *tune* their corrupted TLS RSA ciphertexts.

    The DROWN attack takes advantage of an optimization Bardou used for fast padding oracle attacks against embedded hardware to adapt TLS messages to SSL 2.0, and then use SSL 2.0's vulnerability to padding oracles to decrypt them.

    It's among the coolest attack papers I've ever read. Let's pretend, just for this one Pwnies event, that it had better branding than Badlock.

Pwnie for Best Backdoor (new for 2016!)

Awarded to the researchers who introduced or discovered the most subtle, technically sophisticated, or impactful backdoor in widely used software, protocols, or algorithms.

  • No Name Ransomware

    Credit: Utku Sen & demonslay335

    It is tragic when software vendors ship backdoors to their customers, but less tragic when that software is an open-source ransomware example copypastad into active malware. In March of 2015, Utku Sen and demonslay335 noticed that a particularly dumb flavor of criminal had copied the EDA2 open source ransomware when building their custom version. Unsatisfied with business-like threats and demands for payment, the "author" of this malware made a series of silly claims, the least of which was that "Best Buy will have no ability to undo the encryption. Hell, even the NSA probably couldn't undo it. Well maybe they could, but I suspect you won't be a high priority for their computation clusters for at least a couple of years.". Now ignoring why anyone would think of Best Buy in this situation (maybe the author was a 30-something resident of the US?), this whole sham came falling down when the EDA2 developers publicized the backdoor and published a list of decryption keys. Hurray for open source!

  • Quanta LTE Routers: Shells All The Way Down

    Credit: Pierre Kim

    Everyone knows consumer router security is terrible, but few have measured this tire fire of gross irresponsibility as closely as Pierre Kim. In a single blog post, Pierre outlined 20 different vulnerabilities, including multiple backdoors, before giving up and creating a section called "Misc". If the flaws with your product are so severe that they don't merit the full spelling of "Miscellaneous", you are probably in the wrong business. Not to let Quanta receive all of the credit, Pierre identified additional router models affected by these issues, including those crafted by distinguished Internet of Shit purveyors D-Link and Totolink (not actually a line connected toilets). One particular backdoor really drives home the quality we are dealing with; /cgi-bin/sh, which unsurprisingly, is a command shell executed as root over HTTP.

  • Juniper ScreenOS: 哈哈哈哈哈哈 (CVE-2015-7755 & CVE-2015-7756)

    Credit: Chinese Information Operations and Information Warfare Center

    Although many vendors intentionally backdoor their products, because they hate their users, some companies have to rely on the cyberwarfare divisions of global powers to do so. In late 2015, Juniper issued an advisory claiming that "unauthorized" code in the Netscreen operating system had been active for the last few years. Netscreen firewalls are externally exposed by their very nature and it wasn't long before two sets of issues were uncovered. In a nod to grunge 90s, a SSH backdoor was added that allowed anyone (mostly China) to login to a Netscreen device over SSH using a hardcoded backdoor. The security firms who published the details did so knowing that far too many sysadmins were stuck at their in-laws over the December holidays and looking for any excuse to spend some quality time in a dark room by themselves. The second issue was far more interesting. In an attempt to make all of the privacy crazies^W^W crypto activists feel better about themselves, the Dual_EC RNG constant hardcoded into the Netscreen firmware was changed from one mysterious constant to another. Juniper hasn't clarified whether the first constant was a backdoor as well, but it is safe to assume that the entire Netscreen platform should be gently lowered into a volcano at this point. Eight months later, not much is publicly known about how these backdoors were added, or which Juniper developer has a storage unit full of Chinese tiger penis wine as a result.

  • AMX (Harmon Professional) Audio/Video Products

    Credit: Manuel Hofer & Matthias Klinski

    Everyone loves superheroes and the developers behind AMX's room automation products are not immune. In early 2015, the dynamic duo at SEC-Consult (*pow*) identified a backdoor account in the AMX product line called "BlackWidow". This account provided full access to the product through the standard configuration management interface. After applying the advanced posturing process known as coordinated disclosure, SEC-Consult decided to get retro and examine the "fixed" firmware. After BlackWidow had been busted, the AMX team decided to deliver on the backdoor account their customers need, but not necessarily the one they want. Leet Batman ([email protected]) stepped forward to replace BlackWidow as the backdoor account of preference and both superheroes were only permanently banished after yet another round of coordinated disclosure.

  • PoC||GTFO 0x08: Deniable Backdoors via Compiler Bugs

    Credit: Scott Bauer, Pascal Cuoq, & John Regehr

    The illustrious PoC||GTFO zine included a particularly brain-bending deniable backdoor in the form of a bug in clang/LLVM 3.3 that was used to modifed the sudo binary such a local user could retain unrestricted root access to the system. This backdoor was impressive in that it can survive a manual code review and even formal verification methods.

Pwnie for Best Junk or Stunt Hack (new for 2016!)

Awarded to the researchers, their PR team, and participating journalists for the best, most high-profile, and fear-inducing public spectacle that resulted in the most panic-stricken phone calls from our less-technical friends and family members. Bonus points for it being a needlessly sophisticated attack against a needlessly Internet-enabled "Thing."

  • WhatsApp Message Hacked By John McAfee And Crew

    Credit: John McAfee

    The reigning master of hacking and presidential campaign performance artist of our time, John McAfee, broke the news of his hack to Cybersecurity Ventures by phone that his team was able to demonstrate that WhatsApp messages between two cooperating researchers using compromised Android phones ... could be compromised. They breathlessly reported that:

    Cybersecurity expert John McAfee and a team of four other hackers, using their own servers located in a remote section in the mountains of Colorado, were able to read an encrypted WhatsApp message.
    While the fact that end-to-end cryptography could be compromised at either end should not be news to many here, we all should heed McAfee's warning:
    I have been warning the world for years that we are teetering on the edge of an abyss, that our cyber security paradigms no longer function, and that chaos will descend if something is not done. The fundamental operating system (Android), used by 90% of the world, and that should be the first bulwark against malicious intrusion, is flawed. Should I not bring this to the world’s attention through a dramatic demonstration? Do I not owe it to the world?
    Yes, John, yes you do.

  • Remotely Killing a Jeep on the Highway

    Credit: Charlie Miller and Chris Valasek

    They may not have been the first first, but in our not-so-biased opinion, Charlie and Chris wore it best. The car hacking papers from researchers at UCSD and UW just lacked sufficient... Andy Greenberg freaking out.

    This high-profile demo caused Chrysler to recall 1.4M vehicles in order to address the vulnerabilities that Charlie and Chris identified. More importantly, it demonstrated to the entire industry how expensive not properly securing smart vehicles' systems could be and that proper software security programs just might be a good idea.

  • Hacking a Linux-Powered Rifle

    Credit: Runa Sandvik and Michael Auger

    If a hacked and out of control car on the freeway doesn't scare you into never leaving the house, maybe a hacked precision-guided rifle will. Runa and Michael showed just how this nightmare scenario could come true. When asked why they'd hack a firearm, Runa replied: "Because cars are boring." Tell that to Andy Greenberg.

  • "60 Minutes" Hacking Your Phone with a Hacked Phone

    Credit: John Hering, Jon Oberheide, Adam Laurie, et al

    Engadget described a particularly hand-wavey demo thusly:

    At the beginning of this contrived little drama, Alfonsi is using an iPhone. You know how everyone and everything these days is telling you not to click links, download files or install applications you don't expect to receive? Well, he told her to do exactly that -- click, download, install his app -- with a text message he sent her. To do this in real life, she'd receive warnings, and she'd have to disable the security features on her iPhone. But in the next shot, suddenly our reporter is being spied on by Hering though an Android phone propped up on her desk.
    So, let's make sure that we got this straight:
    1. Turn on "Unknown sources" to allow your device to install whatever malicious app the horrible mobile porn sites you frequent decide that you need installed.
    2. Turn off "Verify Apps" so that Google can't scan those drive-by installed apps and inform you that they're all sorts of bad.
    3. When you receive a text message from an unknown number with a link to install an app, tap that link like you know you're supposed to with all suspicious links in unsolicited messages from unknown senders.
    4. When Android tells you that the app requires all sorts of ridiculous permissions to run, you tap "Yes, I am an adult and know what all of that meant" (even though you didn't).
    5. Now that you've given a total Internet Stranger (who tend to be stranger than IRL Strangers) complete access to your phone, act totally surprised when they use that access to your phone to access your phone.

  • Security Analysis of Emerging Smart Home Applications

    Credit: Earlence Fernandes, Jaeyeon Jung, Atul Prakash

    As long as you stay off the roads, you'll be safe from hacked cars. As long as you don't go outside, you'll be safe from hacked sniper rifles. As long as you turn off your smart phones, you'll be safe from it being tracked and hacked too. Just stay home, where you'll be safe from all of that insecure "smart" crap getting hacked... or not.

    These researchers from University of Michigan demonstrated how weaknesses in Samsung's SmartThings and SmartApps could be abused to plant backdoor door unlock codes, steal existing door unlock codes, disable home vacation mode, and trigger a fire alarm. All the attacker needs to do is trick their victim into installing a fake app and steal an OAuth token from an existing SmartApp. How to do that is left as an exercise for the reader, but maybe John McAfee or John Hering would be willing to help them out.

Pwnie for Best Branding

Sometimes the most important part of security research is how you market and sell the vulnerability you discovered. Who cares how impactful the actual vulnerability is, what matters is how sweet your logo turns out!

  • Badlock samba bug (CVE-2016-2118)

    Credit: Stefan Metzmacher

    Named vulnerability, logo, and URL, check. This is a Samba vulnerability found by a member of the Samba Core Team. I wish I got a logo everytime I fixed a bug in my code. They actually debate about whether they should have made a logo and a name for this vulnerability, but still went ahead. This vulnerability required network positioning to do a MITM or a denial of service attack.

  • Mousejack wireless keystroke injection bug

    Credit: Marc Newlin, Bastile's Threat Reseach Team

    This team didn't stop at the named vulnerability or the prostyle logo, they produced a 3 minute video outlining the threat of this issue. The video looks impressive including slow motion hacker walking and on screen typing. The voice over, pimping the Bastille team, is not as impressive. Basically, if you can get close to a target that is using a non-bluetooth wireless keyboard or mouse, and not have the victim look at their screen, you're golden. The movie highlights a victim on the phone but unaware of his computer screen while another victim leaves for coffee. Oscar award winning performances all around. This came in with a CVSS score of 2.9 which is about the same as not using a password manager.

  • MySQL crypto downgrade (CVE-2015-3152)

    Credit: Adam Goodman

    Duo Labs played it both ways. They made a website and logo for their vulnerability to make fun of websites and logos for vulnerabilities but also hoped to sells some duo accounts in the process. Well played for a cryptographic downgrade that needs an attacker right next to your MySQL server or, as they say, "adversaries with passive monitoring capabilities like the NSA". Everyone knows the NSA already has admin rights on your MySQL server.

  • SSLv2 Cryto attack (CVE-2016-0800)

    Credit: Aviram et al

    In this attack, mid-90's code that everybody supported (SSLv2) but nobody thought anybody used, turned out to be vulnerable. This allowed attackers to decrypt SSL sessions for servers which supported this old protocol. In a change from the ordinary, this website, along with catchy logo was created by a team of academic researchers. I always thought they were above such things. I guess when you have a paper with 15 authors, at least one wants to be like the heartbleed guys.

Pwnie for Epic Achievement (new for 2016!)

Awarded to the researchers, attackers, defenders, executives, journalists, nobodies, randos, or trolls for pulling off something so truly epic that we couldn't possibly have predicted it by creating an award category that did it justice.

  • Threatbutt Danger Zone Incident Retort 2016 (CVE-20*-*)

    Credit: Threatbutt

    The world's leading Threaty Threat sub-Genius company, now in 10th year (in dog years), is reluctant to release it's first DZIR report. Working in close partnership with Kenny Loggins Security and their unique Intrusion Detection Highway platform. In the usual ground breaking and innovative way you've come to expect from Threatbutt, this year's data set is available online in full. Over at 170gb torrent. We hope you enjoy this report and we look forward to forcing some intern in to copy and pasting another one next year.

  • Mr. Robot

    Credit: Cjunky

    Marc Rogers aka CJ has revealed that he is one of the hacker consultants that designs the hacks for the TV Show Mr Robot. These are easily the most accurate hacks ever seen on TV. Mr Robot is probably the ONLY show that hackers and security researchers can watch witbout a feeling of dismay, embarassment and frustration. Not only is this a game-changer but it helps portray the world of hacking in a realistic way — possibly for the first time ever.

  • Department of Defence Bug Bounty

    Credit: Katie Moussouris

    After she moved mountains in order to make Microsoft launch their first security researcher amnesty, BlueHat Prize, and bug bounty programs, she really didn't leave herself much room to top that. Somehow she did, however, by somehow convincing the US DoD to let randos on the Internet hack them and then pay them for the privilege. Remember when you'd go to jail for hacking the Pentagon? The now is weird, but this is one example of a good way.

  • Never Giving Up and Never Letting Us Down (CVE-2000-A-BUNCH-OF-THEM)

    Credit: Tavis Ormandy

    He's no stranger to bugs. He knows the rules better than you or I. Remote code execution is what he's thinking of. You wouldn't get this from any other guy.

    We just want to tell Tavis how we're feeling. Gonna make him understand...

Pwnie for Most Innovative Research

Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.

  • RAP

    Credit: PAX Team

    RAP is the result of our multi-years research and development in Control Flow Integrity (CFI) technologies by PaX. It ground-breakingly scales to C and C++ code bases of arbitrary sizes and provides best-effort protection against code reuse attacks with minimal performance impact.

  • Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector

    Credit: Erik Bosman, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida

    Memory deduplication, a well-known technique to reduce the memory footprint across virtual machines, is now also a default-on feature inside the Windows 8.1 and Windows 10 operating systems. Deduplication maps multiple identical copies of a physical page onto a single shared copy with copy-on-write semantics. As a result, a write to such a shared page triggers a page fault and is thus measurably slower than a write to a normal page. Prior work has shown that an attacker able to craft pages on the target system can use this timing difference as a simple single-bit side channel to discover that certain pages exist in the system.

    In this paper, we demonstrate that the deduplication side channel is much more powerful than previously assumed, potentially providing an attacker with a weird machine to read arbitrary data in the system. We first show that an attacker controlling the alignment and reuse of data in memory is able to perform byte-by-byte disclosure of sensitive data (such as randomized 64 bit pointers). Next, even without control over data alignment or reuse, we show that an attacker can still disclose high-entropy randomized pointers using a birthday attack. To show these primitives are practical, we present an end-to-end JavaScript-based attack against the new Microsoft Edge browser, in absence of software bugs and with all defenses turned on. Our attack combines our deduplicationbased primitives with a reliable Rowhammer exploit to gain arbitrary memory read and write access in the browser.

    We conclude by extending our JavaScript-based attack to cross-process system-wide exploitation (using the popular nginx web server as an example) and discussing mitigation strategies.

  • A2: Analog Malicious Hardware

    Credit: Kaiyuan Yang, Matthew Hicks, Qing Dong, Todd Austin, and Dennis Sylvester

    While the move to smaller transistors has been a boon for performance it has dramatically increased the cost to fabricate chips using those smaller transistors. This forces the vast majority of chip design companies to trust a third party— often overseas—to fabricate their design. To guard against shipping chips with errors (intentional or otherwise) chip design companies rely on post-fabrication testing. Unfortunately, this type of testing leaves the door open to malicious modifications since attackers can craft attack triggers requiring a sequence of unlikely events, which will never be encountered by even the most diligent tester.

    In this paper, we show how a fabrication-time attacker can leverage analog circuits to create a hardware attack that is small (i.e., requires as little as one gate) and stealthy (i.e., requires an unlikely trigger sequence before effecting a chip’s functionality). In the open spaces of an already placed and routed design, we construct a circuit that uses capacitors to siphon charge from nearby wires as they transition between digital values. When the capacitors fully charge, they deploy an attack that forces a victim flip-flop to a desired value. We weaponize this attack into a remotely-controllable privilege escalation by attaching the capacitor to a wire controllable and by selecting a victim flip-flop that holds the privilege bit for our processor. We implement this attack in an OR1200 processor and fabricate a chip. Experimental results show that our attacks work, show that our attacks elude activation by a diverse set of benchmarks, and suggest that our attacks evade known defenses.

  • Blinded random corruption attacks

    Credit: Rodrigo Branco and Shay Gueron

    An attacker who has physical access to a computing platform, and the means to read and modify the memory contents, can be a serious security threat. The ability to passively read memory compromises secrets that reside thereon, and the ability to actively modify memory can be used for circumventing the platform's policy/security mechanisms. Blocking arbitrary memory access mitigates such risks, but this is not always enforceable or desirable. Memory integrity mechanisms detect active tampering, and memory encryption protects data confidentiality. As a byproduct, encryption also diminishes the precision of active attacks, because it limits the attacker to only Blinded Random Block Corruption (BRBC) attacks. He can modify some unknown value (ciphertext) on the memory in an attempt to leverage the consequences that would occur when the CPU ends up using a randomly corrupted block of (decrypted) data. It is therefore tempting to hope that encryption-only is a “practical” defense against an active attacker, although it provides no theoretical promise for integrity. This paper argues that an attacker with arbitrary memory capabilities can succeed with BRBC attacks if the memory does not have integrity protection. Under such assumptions, we demonstrate a BRBC attack that gains administrator privileges on a locked system. This articulates the value of protecting memory integrity in cases that the system cannot deny arbitrary memory access from the potential attacker.

  • Exceptions in Exceptions - Abusing Special Cases in System Exception Handling to Achieve Unbelievable Vulnerability Exploitation

    Credit: Yang Yu (@tombkeeper)

    Memory Read / Write / Execute attributes are one of the most important part of system security. Usually it is mandatory to have writable attribute set before overwriting a block of memory, and executable attribute set before executing code in a block of memory, otherwise an exception is generated. However, there are some special cases in the Windows exception handling procedure that we can take advantage of. By abusing such exceptions, we could write to the unwritable, and execute the unexecutable.

Pwnie for Lamest Vendor Response

Awarded to the vendor who mis-handled a security vulnerability most spectacularly.

  • "PatchDoor"

    Credit: RoundCube

    Keeping pace is important to stay relevant in the technology world, where everything moves so fast. Vroooom. So when a researcher reports a textbook memory corruption bug (aka dinosaur bones) in your native-code PHP module, it's important to show them thay you're keeping up with the changing times. Swap out those hammer-pants strcpy bugs for 2001's dankest bug class--improperly escaped user-supplied command arguments--and rest assured that your routers's LEDs will keep the party lit fam.

    OK, real talk: we shouldn't be shocked that RoundCube decided to swap out the correct escape function, even if the fix only required a size check (which itself appears off-by-one from the screenshot, introducing a new non-NULL-termination bug, but that's none of our business though). In reality, the name RoundCube should have been a strong indicator that they're probably not the greatest at reasoning. We remain excited to see what new creative shapes of attack surface they make next!

  • "WD MyPassword Drive"

    Credit: Western Digital

    Western Digital is no stranger to redudancy in the context of data integrity, and they're not cutting any corners in applying those lessons to their cryptographic failures. Their firmware is rich with layers of keys resting adjacent to ciphertext, like a matryoshka doll of plaintext surprises. The most impressive part is that you don't need to be a firmware extraction connoisseur to benefit from the rewards of their abundant "data recovery" options; take comfort in knowing that the keys themselves are actually just redundant copies of a 32bit rand() value repeated over and over, making the keys impossible to lose!

    In response, the good folks at WD "continue to evaluate the observations", possibly the most indecipherable output they've ever produced.

  • MissingPoint

    Credit: TrackingPoint

    The vast range of bad puns loaded into this one makes it hard to gauge what to keep in scope, but we'll give it a shot. Two researchers popped shells on a Linux-enabled gun, drawing the attention of Wired to their high caliber work. This magazine coverage triggered the Vendor into posting a short-sighted statement about the requirement of physical proximity to interface with the gun's WiFi. The vendor response was more-or-less that everything is cool so long as "you are confident no hackers are within 100 feet". Having their fears eased by the vendor's response, the affected users put their super-secure Android network-bridges phones back in their pockets and carried on shooting.

Pwnie for Most Over-hyped Bug

Awarded to the person who discovered a bug resulting in the most hype on the Internets and in the traditional media. Extra points for bugs that turn out to be impossible to exploit in practice.

  • Stagefright (CVE-2015-1538)

    Credit: jduck

    MMS vector was hyped to the ends of the earth and back, yet completely ignored the existence of ASLR, and good luck info leaking. It is effectively unexploitable on any device after 2012. Logo, articles, interviews, and they literally bought ad space on news sites. One year later it is still being talked about.

  • Badlock (CVE-2016-0128)

    Credit: Stefan Metzmacher

    Countdown timer, logo, website, and excessive Twitter/media hype all for a Denial of Service bug.

  • Linux Keyring Reference Leak (CVE-2016-0728)

    Credit: Perception Point

    Claimed that it affects 66% of all Android phones while it was non exploitable due to SELinux. Further it would take hours to actually exploit the bug.

Pwnie for Best Song

What kind of awards ceremony does not have an award for best song?

  • "Accepted the Risk"

    Credit: HostUnknown

    This is a song about the business incentives to accept risk rather than mitigate it, sung from the viewpoint of a lazy CISO. The creators achieve this by borrowing the beat and basic song structure from Afroman's "Because I Got High", without stealing other elements from the original, such as rhyme and melody.


  • "The Geek Song"


    This pop song celebrates the merits of being geeky, dispelling geek shaming, and highlighting the success potential of working in technology. Even though the song isn't really about security, it has a compelling video which really sells the listener on believing that with enough hard work, anyone can make money as a Black Eyed Peas knock-off band doing cheesy corporate promotional videos.


  • "Cyberlier"

    Katie Moussouris

    This cover of Sia's "Chandalier" was the keynote of Kiwicon 2015, where it was combined with interpretive dance to artistically summarize the deep geopolitical tensions surrounding cyberwar, attribution, and the Wassenaar Arrangement (maybe?).


  • "Root Rights are a Grrl's Best Friend"


    This singing and piano track tells of the timeless value of having root rights to your machines (and really, no machine is yours without them). This song was delivered as a specially crafted polyglot in PoC||GTFO 9, which you can find here. If the idea of downloading a WavPack + PDF polyglot sketches you out, you can listen to the song as a super legit MP3 (safer), which we have made available here.

Pwnie for Most Epic FAIL

Sometimes giving 110% just makes your FAIL that much more epic. And what use would the Internet be if it wasn't there to document this FAIL for all time? This award is to honor a person or company's spectacularly epic FAIL.

It turned out that 2015-2016 was the first year that everyone everywhere won at security all year round. Either that or the Internet didn't give us enough good nominations for this category. It's most probably the first one, though.

Lifetime Achievement Award

Most hackers have the personality of a supermodel who does discrete mathematics for fun. Like mathematicians, hackers get off on solving very obscure and difficult to even explain problems. Like models, hackers wear a lot of black, think they are more famous than they are, and their career effectively ends at age 30. Either way, upon entering one's third decade, it is time to put down the disassembler and consider a relaxing job in management.

  • Alex Ionescu

    Alex is a OS/kernel engineer and systems architect who actually understands how things should be built. He is a co-author of the seminal Windows Internals book series and teaches ongoing seminars around the world. Alex is often the first to publish highly technical details on major security-relevant architectural changes to Windows. Rumor has is that Alex recently turned 30, which technically means he may not yet be qualified for a lifetime achievement award, however someone said something about him leaving the industry and we agree this nomination might stop that from happening.

  • Jayson Street

    With over 20 years evolving from network security administrator to pen tester to educator and influencer, Jayson remains committed to educating the public on our industry, hacker culture and why folks should care. He is a regular presenter at industry conferences, has written books such as “Dissecting the Hack”, and continues to influence our industry (and others perceptions of it) via his sites,, and probably some other letter/number’s.

  • Elias Levy

    In 1996 Aleph One published Smashing The Stack For Fun and Profit and launched a thousand careers in bug hunting, pen testing, and decent old school offense. Many of us formed our day to day routine around his mailing list, bugtraq, which was later commercialized and sold to Symantec. At that time Aleph1 moved to defense and product development with Symantec and later Sourcefire, but continued to shape industry as an editor with CVE and IEEE. Elias continues to maintain appearances as a solutions-driven engineer now with Cisco, but we all remain grateful to know his true roots are in blackhat-mindedness and fundamental disclosure.

  • Mudge

    Peiter C. Zatko, one time L0pht frontman and author of fundamental hacking tools including L0phtcrack is a long-time vulnerability research educator and influencer. He is well known for leading L0pht’s 1998 senate testimony about the end of the world as we know it, which ended up with the US Govt trusting this hacker enough to allow him to control DARPA’s cyber security program. Like most security researchers Mudge also did his time at Google, but has since returned to the beltway to help establish a cyber consumer reports magazine service, apparently by request of the White House.

  • Marc Rogers aka CJunky

    Whitehat hacker, security evangelist, TV producer, author, and old school Head of Security, this infosec and communications expert shares real world experience with the mainstream and shapes the hopes of future infosec professionals all over the world. DEFCON Director of Security since 1999 and Head of Security since 2014, this is who you’ll be dealing with when your ATM hack fails and/or the FBI start requesting your packets. Marc’s roots as a network administrator in the 90’s allowed him to move into security management then back to research through a variety of roles over the past two decades. One of the pillars of our industry and scene.

  • James "Myrcurial" Arlen

    Consultant, CISO, advisor and analyst for over the past twenty years, James has helped shape industry and best practice around infosec policy, process, procedures and best practice. His skills span technology analysis and business savvy, which means he can do important grown up things like shape standards and influence media. He probably does all this so that you don’t have to. So say thank you.

  • Felix 'FX' Lindner

    FX is an expert reverse engineer, security architect, and vulnerability researcher. He has been presenting at Blackhat and all the usual cons since 2001 and is basically one of the industry’s classic rock stars. As well as breaking, FX is a computer scientist with telecomms and software development skills, which means he’s also useful in the real world. He even has a CISSP.

  • The Grugq

    Noted researcher and industry commentator for over 15 years, Grugq rarely makes an appearance State-side. Grugq started his career at a Fortune 100 company before transitioning to @stake, where he was forced to resign for publishing a Phrack article on anti-forensics. Since then he continued to disrupt in traditional blackhat style, via work as a professional penetration tester, developer, and full time security researcher. After a failed career suicide attempt (by telling journalists how it really is) Grugq continued to lead opinion and cyber-thinking, sometimes by sharing his research around counterintelligence and the intersection of traditional tradecraft and the hacker skillset, and other times by reminding us of lessons we already learned but forgot.

Pwnie for Epic 0wnage

0wnage, measured in owws, can be delivered in mass quantities to a single organization or distributed across the wider Internet population. The Epic 0wnage award goes to the hackers responsible for delivering the most damaging, widely publicized, or hilarious 0wnage. This award can also be awarded to the researcher responsible for disclosing the vulnerability or exploit that resulted in delivering the most owws across the Internet.

  • Weev PrinterGate

    Credit: Weev

    Thousands of unauthenticated, open printer ports exist reachable on the Internet. And Masscan exists. And a bored neo-Nazi exists. Of course Weev could have done more than send just a page advertising DailyStormer to each of these printers - he could have sent firmware updates. On one hand, these (mostly University) printers got an education in Information Security. On the other hand, sometimes sending swastikas to random people who don't share your ideology of hate is not that funny even if it does let you use angry messages on Twitter as a way to find out when your attack worked.

    There's no CVE for this issue because CVE is dead.

  • Ubiquiti "Mother Fucker" worm

    Credit: Unknown Worm Team

    Reading Ubiquiti's support forums allows for laughing at their attempts to update their ISP customers on which firmwares will have the fix as their customers struggle to update hundreds of thousands of customers. Entire country blocks were owned and had their router username/passwords changed to mother/fucker. This mostly affected certain South of America countries, which is probably why you don't know about it.

    There's no CVE for this issue because CVE is dead.

  • The DAO Heist

    Credit: Some Cryptocurrencies Dweebs

    Understanding cryptocurrency politics is harder than breaking them, it seems. In case you aren't familiar with this case, someone did some work to find vulnerabilities in the language some people have put a hundred million dollars into, as if the lessons on LangSec of the past decade haven't taught us "smart contracts" are a hilarious idea.

    There's no CVE for this issue because CVE is dead.

  • The Juniper Backdoor

    Credit: Some Bad Ass Motherfuckers

    Backdooring cryptographic routines makes them fragile, especially when you are trying to hide said backdoor as a neat coincidence between leaking a lot of key data, failing to use the normal default Q value, and just generally sucking at security engineering. We're not saying Juniper was backdoored to start with, we're just saying, hey, what a neat coincidence, and we respect the amount of work that went into that coincidence.

    And the genius of the hackers who REBACKDOORED the backdoor is that all they had to do is change one simple number, the fake Q number, and nobody even noticed, because "Hey, we can't decrypt that stream? Whatever. More where that came from." is the standard SIGINT response.

    Then later, they added an admin/password backdoor, just in case they didn't have passive collection around a site, and wanted to get more active access.

    Hat's off to you, unknown (Russian) hackers.

    There's no CVE for this issue because CVE is dead.

  • Stealth Falcon

    Credit: The UAE Government

    This campaign had everything. Malicious URL Shortening site? CHECK. Word Document Macros? YESSIR! Fake Journalists? HOAH! PowerShell, the language time forgot? AFFIRMATIVE! Excessive Footnotes to appear "researchy"? CHECK AND DOUBLE CHECK.

    Everyone gets excited that there were arrests possibly related to this effort. Keep in mind, when thinking about human rights issues, it's the arrests themselves that you want to protest, and not the hacking teams.

    There's no CVE for this issue because CVE is dead.

  • RansomWare

    Credit: Eastern Europe and Russia Businesses. The cryptocoin community.

    Nothing says "legitimate financial instrument" better than your cryptocoin being used primarally as a blackmail device. Nevertheless, we have to give kudos to whoever in the "online backup" community has been funding these innovative security businesses which are only slightly more fishy than traditional AV.

    There's no CVE for this issue because CVE is dead.

Nominations opened.
Nominations closed.
The list of nominees is announced.
Awards ceremony at the BlackHat USA conference in Las Vegas.
Awards Ceremony
when Wed, Aug 8th 2018
where BlackHat USA 2018, Lagoon JK (Level 2), Mandalay Bay, Las Vegas