Pwnie Awards 2017

Pwnie for Best Server-Side Bug

Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.

  • CVE-2017-0143, 0144, 0145

    Credit: NSA's Equation Group (?)

    These vulnerabilities allow arbitrary remote command execution on Microsoft Operating Systems running the SMB file sharing protocol, which is pretty much all MSFT systems. The vulnerabilities became known as a result of the Shadow Brokers release of (allegedly) the NSA's ETERNAL* exploits, which include variations for different OS versions and functions. Multiple ransomware platforms have taken advantage of these vulnerabilities, causing Microsoft to release patched for unsupported systems such as Windows XP.

Pwnie for Best Client-Side Bug

Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting client-side bug.

  • Microsoft Office OLE2Link URL Moniker/Script Moniker (CVE-2017-0199)

    Credit: Ryan Hanson, Haifei Li, Bing Sun, Unknown Hackers

    In an instance of parallel discovery, two different flaws were identified in how Microsoft Office handles linked OLE objects. CVE-2017-0199 refers to both issues, the first related to the URL Moniker, which can be used to load arbitrary HTA payloads via OLE (and RTF) documents, and the other to the Script Moniker, which can be abused in PowerPoint documents via custom actions. Haifei Li reported the Script Moniker vector and Ryan Hanson the URL Moniker while an unknown party was actively exploiting the URL Moniker issue with spear phishing attacks.

    These bugs were interesting from a timing perspective (at least three different folks discovering them in parallel) and due to the fact that they were perfectly effective against Windows 10 and Office 2016, bypassing all memory-based attack mitigations. Since the publication of these issues, both vectors have become favorites of penetration testers and random blackhats alike.

    Haifei Li & Bing Sun's presentation at the SYSCAN360 Seattle conference pointed out that Microsoft's patch may not be complete, as it blacklists two COM controls, but exploitable may be possible through third-party controls instead.

Pwnie for Best Privilege Escalation Bug

Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting privilege escalation vulnerability. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.

  • Drammer: Deterministic Rowhammer Attacks on Mobile Platforms

    Credit: Victor van der Veen, Yanick Fratantonio, Martina Lindorfer, Daniel Gruss, Clementine Maurice, Giovanni Vigna, Herbert Bos, Kaveh Razavi, Cristiano Giuffrida

    Mobile computing row hammer attacks (MC Hammers, for short) are terrifying. You can't touch them and can only hope that, please, they won't hurt you.

Pwnie for Best Cryptographic Attack (new for 2016!)

Awarded to the researchers who discovered the most impactful cryptographic attack against real-world systems, protocols, or algorithms. This isn't some academic conference where we care about theoretical minutiae in obscure algorithms, this category requires actual pwnage.

  • The first collision for full SHA-1

    Credit: Marc Stevens, Elie Bursztein, Pierre Karpman, Ange Albertini, Yarik Markov

    The SHAttered attack team generated the first known collision for full SHA-1. The team produced two PDF documents that were different that produced the same SHA-1 hash. The techniques used to do this led to an a 100k speed increase over the brute force attack that relies on the birthday paradox, making this attack practical by a reasonably (Valasek-rich?) well funded adversary. A practical collision like this, moves folks still relying on a deprecated protocol to action.

Pwnie for Best Backdoor

Awarded to the researchers who introduced or discovered the most subtle, technically sophisticated, or impactful backdoor in widely used software, protocols, or algorithms.

  • M.E.Doc

    Credit: Totally Not Russia

    To prepare their taxes, folks the world over install janky software developed for a captive market of their nation's tax laws. In Ukraine, accountants who installed M.E.Doc received a backdoor in the gig and a half of their full installation. The backdoor used M.E.Doc's own servers for command and control, allowing the network operator to target commands to publicly known tax identification numbers! And yes, this is the alleged patient zero for the NotPetya ransomware that appeared in June, just before Ukraine's Constitution Day.

Pwnie for Best Branding

Sometimes the most important part of security research is how you market and sell the vulnerability you discovered. Who cares how impactful the actual vulnerability is, what matters is how sweet your logo turns out!

  • GhostButt

    Credit: Atlassian Security Team

    Ghostbutt (CVE-2017-8291) has it all, a website, a clever logo, made even cleverer byhaving the logo be the exploit and, of course, the use of the -butt suffix (ala threatbutt). It doesn't have a online store, but[t] it does have a song.

Pwnie for Epic Achievement (new for 2016!)

Awarded to the researchers, attackers, defenders, executives, journalists, nobodies, randos, or trolls for pulling off something so truly epic that we couldn't possibly have predicted it by creating an award category that did it justice.

  • Federico Bento


    Exploits possible due to an ioctl named TIOCSTI have been documented by luminairies such as Theo de Raadt since the 80's, but the work of Federico Bento may well have finally influenced the powers that be to put their weight behind addressing it. TIOCSTI allows unprivileged users to insert characters into the terminal's input buffer allowing easy unprivileged to privileged escapes. Federico has been reporting a stream of vulnerabilities based on TIOCSTI, and subsequently OpenBSD, SELinux, Android, and grsecurity have finally acted to remove, block or restrict its use.

Pwnie for Most Innovative Research

Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.

  • ASLR on the line

    Credit: Ben Gras, Kaveh Razavi, Erik Bosman, Herbert Bos, Cristiano Giuffrida

    Exploit writers have been bending over backwards to try to defeat ASLR for the better part of a decade. Usually this requires finding some soon-to-be-patched memory disclosure bug. Of course this is a hard job and needs to be repeated for different browsers/plugins/versions/etc. Then these guys come along with a universal ASLR bypass based on timing of the caching of memory access. Of course this works using Javascript in most browsers by default and isn't really something you can fix very easy. Seems too easy, I think I'll keep looking for infoleaks like a real hacker.

Pwnie for Lamest Vendor Response

Awarded to the vendor who mis-handled a security vulnerability most spectacularly.

  • SystemD bugs 5998, 6225, 6214, 5144, 6237

    Credit: Lennart Poettering

    Where you are dereferencing null pointers, or writing out of bounds, or not supporting fully qualified domain names, or giving root privileges to any user whose name begins with a number, there's no chance that the CVE number will referenced in either the change log or the commit message. But CVEs aren't really our currency any more, and only the lamest of vendors gets a Pwnie!

Pwnie for Most Over-hyped Bug

Awarded to the person who discovered a bug resulting in the most hype on the Internets and in the traditional media. Extra points for bugs that turn out to be impossible to exploit in practice.

  • Enter 30 to shell - Cryptsetup bug (CVE-2016-4484)

    Credit: Hector Marco and Ismael Ripoll

    A vulnerability in the way cryptsetup unlocks LUKS encrypted partitions allowed attackers with physical access an initrd shell. This may allow an attacker to load some non desired OS or delete data. For very special machines, like ATMs, kiosks, etc, this might be a problem.

    This attack was covered in threatpost and slashdot. However, even the slashdot commenters, in their great wisdom, figured out that it wasn't a big deal.

    Not hyped excessively but does require physical access and doesn't even get you real shell.

Pwnie for Best Song

What kind of awards ceremony does not have an award for best song?

  • Hello (Covert Channel)

    Credit: Manuel Weber, Daniel Gruss (et al)

    As a cover of Adele's Hello, this song added an extra element of stagecraft to a presentation on a cache-based covert channel, in both describing the attack and being the content delivered over the covert channel.

Pwnie for Most Epic FAIL

Sometimes giving 110% just makes your FAIL that much more epic. And what use would the Internet be if it wasn't there to document this FAIL for all time? This award is to honor a person or company's spectacularly epic FAIL.

  • Laws Down Under

    Credit: Government of Australia

    Everyone wants to stop criminals. In a legislative effort to force vendors to hand over the plaintext contents of encrypted communications, Prime Minister Malcom Turnbull was confronted with the pesky laws of mathematics; that is, that with properly implemented crypto, no one, including vendors, could simply decrypt the user data. Turnbull replied "Well the laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia". Finally, some progress in the war on math!

Lifetime Achievement Award

Most hackers have the personality of a supermodel who does discrete mathematics for fun. Like mathematicians, hackers get off on solving very obscure and difficult to even explain problems. Like models, hackers wear a lot of black, think they are more famous than they are, and their career effectively ends at age 30. Either way, upon entering one's third decade, it is time to put down the disassembler and consider a relaxing job in management.

  • Felix "FX" Lindner

    Describe ...

    FX has been around forever, in the most positive sense of the phrase.

    He is the epitome of 'applied' security research. Where the work he has shared as an individual, with Phoenolit, and at his co mpany Recurity,. all share the characteristics of being tremendously applicable in the real world.

    FX is an expert reverse engineer, a security architect, and a prolific vulnerability researcher across a range of technical ar eas ranging from datalink and network layer exploitation all the way to presentation and application (Blitzablieter anyone?).

    Similar to another famous hacker group, FX reached out to government in his country and where the government was doing things in the best interest of it's citizens (including hackers), FX helped to educate them so they could make more informed decision s that would have greater benefit for all.

    Felix is always willing to share his knowledge, mentor others, and support and contribute to the evolution of 'the security re searcher'.

    Last year, Felix suffered an aneurysm and is continuing his trek towards recovery. The security field owes a lot to you FX. We miss you. Get better soon!

    PS - he even has a CISSP, and yet here we are still considering him for this award. That tells you how awesome FX really is <wink>!

Pwnie for Epic 0wnage

0wnage, measured in owws, can be delivered in mass quantities to a single organization or distributed across the wider Internet population. The Epic 0wnage award goes to the hackers responsible for delivering the most damaging, widely publicized, or hilarious 0wnage. This award can also be awarded to the researcher responsible for disclosing the vulnerability or exploit that resulted in delivering the most owws across the Internet.

There was a tie for the winner this year. We'll let them sort it out amongst themselves.

  • WannaCry

    Credit: North Korea(?)

    Shutting down German train systems and infrastructure was Childs play for WannaCry. Take a legacy bug that has patches available, a leaked ("NSA") 0day that exploits said bug, and let it loose by a country whose offensive cyber units are tasked with bringing in their own revenue to support themselves and yes, we all do wanna cry.

    An Internet work that makes the worms of the late 1990s and early 2000s blush has it all: ransomware, nation state actors, un-patched MS Windows systems, and copy-cat follow on worms Are you not entertained?!?!?

  • Shadow Brokers dumps

    Credit: Russia. Straight up: Russia...

    Right before the NSA could launch an attack against Russia as payback for actions that had been identified during the presidential election (and probably payback for some other things we aren't allowed to know), they get iced. Kapow! Out of the blue comes a "hacking group" claiming to have the Fort's full kit!

    What would you do? Either the Shadow Brokers are bluffing (and they dumped just enough of the kit that they may not be), or you are walking into a trap because someone out there has part of your playbook!

    Part of this nomination goes to Shadow Brokers for having the kit in the first place, the other part of this nomination goes to the delivery, timing, and false flag auction.

    Welcome to behind the green door and a glimpse at the great game everyone!

    Bonus points for subsequent ransomware worms lifting parts of the released kit.


The Pwnie Awards were sponsored this year by Senrio, who commissioned Vivien Masters' Pwnie works of art this year.

Nominations opened.
Nominations closed.
The list of nominees is announced.
Awards ceremony at the BlackHat USA conference in Las Vegas.
Awards Ceremony
when Wed, Aug 8th 2018
where BlackHat USA 2018, Lagoon JK (Level 2), Mandalay Bay, Las Vegas