Nominees for the 2018 Pwnie Awards
Pwnie for Best Server-Side Bug
Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.
Remotely owning mailservers is what old school Unix hacking was always about. Meh Change showed us how it was done this year by triggering one byte overflows, making fake chunk headers, extending chunks, freeing chunks, overwriting next pointers, and all the good stuff we know and love since the Vudo malloc tricks paper in Phrack showed us the ways of the dark side.
Why does it take 14 people on the Drupal core team to fix one bug, and not even correctly? Drupal and its insane sibling Joomla are responsible for running more websites than the Florida crab spider.
Aside from Kink-shaming their own developers, Drupal is known for the incredible masochism of writing their entire framework in PHP. Luckily any server running Drupal is probably being managed by a coordinated group of crypto-miners now, which is part of their total value proposition.
Steam has the kind of market penetration that even Microsoft is envious of. Remember that one time you installed Steam on your work laptop so your nephew could play Wheely during the flight instead of alternately kicking you in the back and crying the entire way? Well, luckily for you it also had a complex but highly reliable RCE in it which Tom was happy to outline in great detail for everyone even though Steam patched the bug in 8 hours after he told them and Steam auto-updates and so now the bug is sadly useless.
A ten year run of a great bug though. Steam is totally secure now, unfortunately.
HP iLO and Dell iDRAC multiple RCEs(https://vimeo.com/261547570)
Luckily, 2018 is the year of Linux on the Desktop, assuming your desktop is a high end server of some kind. HP and Dell include "Integrated Lights Out" Management, which in theory you connect only to a seperate management VLAN which you...somehow manage. This is great because it means once you are on one machine, you can use its iLO to touch every other iLO. Or, as in most cases, the management network will be on the same network, so you can just touch them directly, and since baseband management controllers are tiny embedded Unixes running web servers written by the lowest possible bidder, vulnerabilities abound, from sending lots of A's to race conditions.
These exploits have the benefit of "Working in the wild" on "lots of people's Active Directory controllers".
Intel fails to understand how strncmp works in a critical piece of authentication code that runs at the hardware level on their chips, which the entire community told them was probably a bad idea, but thanks to monopoly power and basic economics, they did anyway. The exploit, for those of you who forgot how Digest Authentication works, is to send exactly nothing to the user_response, since any two zero length strings are pretty equivalent.
This lets attackers read and write files, change boot settings, and otherwise do things to the computer even your NEXT GENERATION ANTI-VIRUS (with 100% zero day protection!) can't hope to prevent.
Pwnie for Best Client-Side Bug
Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting client-side bug.
Surprise! CRLF injection can be more than the lame type of vulnerability that you put in your report because you didn't find anything real. This fun bug is in SOAP WSDL parsing and results in remote C# code injection. The bug affects every version of the .NET Framework released since 2002 and can be triggered through WSDL parsing invoked through MS Office or any Microsoft application with a type handler.
The 12 Logic Bug Gifts of Christmas
(Sing along to the tune of "I would walk 500 miles" by the Pretenders)
But I would exploit 6 logic bugs, and I would exploit 6 logic bugs more, just to be the guys who exploited 12 logic bugs, when we also could have used less than four (memory corruption bugs).
The Microsoft Equation Editor (EQNEDT32.EXE) has apparently been frozen in time since 2000, rocking out to Creed, and not utilizing a single one of the numerous exploitation mitigations invented since then. Apparently, it didn't get the memo about how that's not cool anymore. And also that mitigations are a good idea.
The researchers at Embedi discovered this bug and developed an exploit for it that affects all versions of Microsoft Office and Windows versions released over the last 17 years, taking it higher to the place where blind men see.
You may also enjoy this short tutorial video on how to check for updates and launch calculators on many versions of Windows.
Yo dawg! I heard that you like clients, so I made your server a client too so that it can be vulnerable to client-side vulnerabilities.
DynoRoot is a shell command injection vulnerability in RedHat's DHCP client scripts in RHEL 6 and 7. It's Redonkulously Simple (TM) to exploit once you're already on the same subnet as the target server. At which point, you have already pretty much won, haven't you?
The Google Pixel phone had previously enjoyed a peaceful life as the only mobile device that had not been pwned in Mobile Pwn2Own. That is, until 360 Alpha Team's Guang Gong exploited an RCE bug in V8 chained with a privilege escalation in Android's libgralloc. The V8 vulnerability was an exploitable race condition between the verification of a WebAssembly program in a SharedArrayBuffer and when the WebAssembly program was copied out of that SharedArrayBuffer to be run. By creatively modifying the WebAssembly program from a web worker, an attacker can cause unsafe WebAssembly to be executed and turn this into RCE for fun and profit.
This is a vulnerability in client-side network protocol parsing on Windows, which luckily only affects modern Windows boxes using the obscure protocol "DNS". There's a special sense of irony in the bug being in the DNSSEC implementation, which otherwise protects the internet from hacking. We're not sure what Microsoft is doing with SAGE these days, but it's probably not fuzzing DNS, given that this nominee is actually three bugs in the same basic block.
Pwnie for Best Privilege Escalation Bug
Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting privilege escalation vulnerability. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.
waitid (CVE-2017-14954, CVE-2017-5123)
If it's one thing we can all agree on, it's that it just isn't the best priv esc category without a great Linux kernel bug. To make matters worse, there was an arbitrary write in the same syscall, because the linux kernel's There's More Than One Way To Exploit It design philosophy.
Meltdown and Spectre
I think we all knew that Spectre and Meltdown were going to get nominated for Best Priv Esc bugs this year. These gamechanging processor flaws changed the game for vuln release, and absolutely ruined IT staff's first week back from the holidays. Based on how the industry responded, Meltdown was more preciently named.
A set of DMA-based Rowhammer attacks against the latest Android OS, including the 2018 version of the DRAMMER root exploit. Rowhammer is starting to be like the shingles of information security. Just when you think you can't be affected by it again, it comes back like a thousand spider bites.
backboardd Double free()
CVE-2017-7162 is a double free bug on a single IPC interface in backboardd on iOS. To exploit it is necessary to fill in the freed memory in between. The time window between two frees doesn’t look good at first glance. A neat way has been found by KeenLab to make the time window controllable and they reliably exploited the bug. And the bug is also in the chain of the successful WiFi pwn done by KeenLab at Mobile Pwn2Own 2017.
Holey Beep (CVE-2018-0492) is the latest breakthrough in the field of acoustic cyber security research. At least, that's what this submission's crappy website said. We were ready to delete this one, but upon further reading, it's a fun race condition that abuses both signal handlers and uninitialized memory to achieve an arbitrary write. Also, pretty impressive that they had the audacity to submit /usr/bin/beep flaw when Spectre and Meltdown were clearly going to be on the list.
Pwnie for Best Cryptographic Attack
Awarded to the researchers who discovered the most impactful cryptographic attack against real-world systems, protocols, or algorithms. This isn't some academic conference where we care about theoretical minutiae in obscure algorithms, this category requires actual pwnage.
Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels
When you were young, just getting into the field, armed only with uuencoded temp file race exploits and a ragged blue edition of Applied Cryptography, this is the attack you dreamed someday you might put you name on: you straight-up broke PGP.
But time went on, life happened, you got big into deserialization attacks and but for a midlife crisis barely avoided become a web app security person. You stopped listening to Sublime, Soul Asylum broke up (please tell me soul asylum broke up) and somewhere along the line you stopped thinking about PGP. You let go of your dreams and they floated away.
But not the Münster and Ruhr security teams. They held on. While you rolled your eyes at mailing list posts and tweets about PGP problems, they took notes. They ran experiments. And eventually, they figured something out: the PGP email encryption, it’s a not so good, eh? Nobody could have predicted it, but it turns out sending rich HTML messages over an encryption protocol designed in the phlogiston era of cryptography wasn’t a great plan.
It’s a great attack and a great paper, full of gritty implementation details. They’re capturing messages, flipping bits in them to inject live content, working their way past DEFLATE compression, and in the end breaking the most PGP email clients. The various PGP projects lost their minds over this. It was a sight to see.
The Return of Coppersmith’s A‚ttack: Practical Factorization of Widely Used RSA Moduli
Couple years back, a team at Masaryk University gathers a collection of RSA implementations and sets out to figure out if they can “fingerprint” an RSA key to determine what implementation generated it; like, is a Feitian RSA key observably different than a BouncyCastle key? It turns out that, in the large, sure, you can apparently do that; in fact, you can do it only with public keys with decent accuracy; you can look at, like, a PGP key and determine that it came from OpenSSL or whatever. Who cares, this isn’t the important part.
The important part is that while they did that work, they noticed something funky about one of the RSA implementations. They started generating plots of the space of crypto primes different RSA’s generated. All the RSAs generated different plots. But Infineon’s RSA generated a weird plot, with very constrained primes.
Nobody thought much about this, until a year later the Masaryks came back with a new paper. While we were all wasting time studying supersingular curve isogenies, they were figuring out what was going on with that Infineon RSA generator. And what they found out was not great: Infineon had taken a shortcut for their crypto processor RNG, and if you know some linear algebra, how to reduce a lattice basis, divisors in residue classes, extended linearization, and the implementation pitfalls of Joye–Paillier generators, you can factor an Infineon RSA key using EC2 instances.
This wouldn’t be a big deal except that, wait, no, it’s a huge deal, because Infineon chips are all over the place, from national voting ID cards to Yubikeys. You did replace your Y4, right? Because the Masaryks broke your Y4 key.
We are informed reliably by the community of IOTA token owners on Twitter of the following important facts:
Because of the unique challenges of operating in the space of cryptographic tangles it is necessary to compute using balanced ternary, with trits and trytes instead of bidgets and bytes. 3 is closer to the universal optimum 2.71 than is 2. Balanced ternary is the future, and so the cryptocurrencies of the future need a hash function optimized for their number system. Only IOTA (ticker: MIOTA) provides that today, with its proprietary Curl hash.
There is no truth to the claims of Heilman and Narula that Curl could be broken using a cryptanalysis technique discovered in the 1970s and taught to college sophomores. Curl is not vulnerable to differential cryptanalysis. It is not trivially possible to generate practical collisions for messages of the same length. The paper Heilman and Narula wrote was irresponsible and sensational and they should be disgraced publicly. Heilman and Narula did not send the IOTA team valid payments that pay different amounts but hash to the same Curl value. Even if they did, the IOTA team knew about those vulnerabilities all along. Obviously, Heilman and Narula paid Black Hat to present their research there. Hopefully, the IOTA foundation will pay more to present their side next year.
IOTA prices are rallying, building on current gains, poised to pop, outperforming another top 10 cryptocurrencies rated by market value as per CoinMarketCap. Buy now!
Key Reinstallation Attacks: Breaking WPA2 by forcing nonce reuse
FOR FUCK’S SAKE STOP REUSING NONCES.
Return Of Bleichenbacher’s Oracle Threat
Consider Hanno Böck’s M.O.: you’ve got some extremely basic cryptographic vulnerability that no academic team is paying attention to anymore, because who could be stupid enough to have that problem anymore? Hanno takes the guesswork out of this and just asks the Internet: is it possible that people are actually running web servers that use zero as their AES-GCM nonce? And, long story short, later that year Hanno and Sean Devlin are on stage at Black Hat giving a talk whose slides are hosted on the website of an unsuspecting GCHQ. This is just how Hanno works.
So, at some point last year, Hanno and friends decided to ask the Internet another question: do web servers really still have RSA padding oracles, the kind Daniel Bleichenbacher discovered back in 1998? It’s 20 years later! We’ve dealt with that problem by now, right?
And the result is a Bleichenbloodbath.
They’re publishing documents signed with Facebook’s private key (not once, but twice, breaking Facebook’s fix for the bug). They’ve killed the RSA on F5 Big-IP boxes. Does anyone still use Radware? I guess they do, because the ROBOT team broke those. Citrix, too. Cisco’s ACE boxes are broken — Cisco won’t fix them, mind you, because they’re out of support now, but, oh shit, hold on, CISCO.COM is vulnerable too! Paypal’s vulnerable! A chunk of the Alexa top million. BouncyCastle breaks. The custom non-OpenSSL libraries like WolfSSL and MatrixSSL break. Erlang is broken. Cavium is broken. Unisys ClearPath MCP is broken! The MCP! It’s bananas.
The paper is bananas, too. They came up with an released an efficient scanning technique to spot BB’98 flaws, and in developing it discovered a bunch of new tricks for spotting BB’98 in TLS implementations. They released the scanner on Github. And a test tool on their website. And a CTF.
Pwnie for Most Innovative Research
Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.
VU has consitently delivered low-level attack research, and prove they are too legit too quit when it's hammer time. Extending on the premise of the game-changing rowhammer, these researchers weren't even remotely a bit flippant about flipping a bit remotely. This research explores exploiting rowhammer across the network (server-side!), taking RDMA and making it UR-DMA.
Stealing carbon credits is so mid-2000s, but now blockchain technologies make hacking-for-cash a reality we can all enjoy! This research presents an approach for modeling Ethereum contracts for symbolic analysis, and provides examples to show the possibilities of applying SMT solving against Solidity programs. As program complexity often makes this sort of analysis impractical, this paper posits that
stealing digital currency makes it worth the effortthe simplicity of the Ethereum VM makes smart contracts eligible for real-world application of symbolic analysis.
Remember when ASLR stopped exploitation? Neither do we, but we definitely did not anticipate this new era of hardware-based memory disclosure oracles. Given the overwhelming amount of possibilities opened up by flirting-up branch predictors and measuring cache retrieval, there have probably been new variants of Spectre announced since you began reading this sentence. Don't mind the sound of the fans humming as you read, and thank you visiting the Pwnies nominations page!
The folks at VU might be on to something. This research presents a side-channel against the TLB, which cannot be partitioned between processes in software (by application or OS). The provided example employs machine learning and a tiny bit of brute forcing to determine a complete 256bit EdDSA key being used by a concurrent hyperthread--truly ahead of the curve.
Seriously VU, stop breaking everything. You know what's better than microarchitectural attacks? IC-enhanced microarchitectural attacks. This work exploits the mechanics of a GPU cache eviction to throw shade on side-channel and rowhammer mitigations, rendering the defenses useless. Demonstration is provided with a remote GPU-enhanced exploit, combining a side-channel and rowhammer attack to compromise an ARM mobile device from the browser.
Pwnie for Lamest Vendor Response
Awarded to the vendor who mis-handled a security vulnerability most spectacularly.
ThinkRace / Trackmageddon
Six million devices whose location tracking data was accessible via ThinkRace's web portal software were exposed and continue to be exposed. A number of companies have this oftware deployed and they aren't applying patches. What's worse is taht Thinkrace had known about these bvulnerabilities since 2016. Oh, you haven't heard about it? Maybe it's because the authors declined to do a full court press-tour.
Budapest Transport Authority (BKK)
Security researchers are like Sisyphus. We push vulnerabilities uphill, only to wake up the next day to find ourselves pinned underneath our own findings. This year, a researcher found and reported some standard web vulns in the ticketing system for the Budapest Transport Authority, and while he did exercise the flaw, he didn't actually use his gains (in the form of a reduced priced fare). He was arrested for his troubles. They did offer to work with him in the future and setup a bounty, but not before they received 46000 1* reviews on facebook and protestors on their doorsteps.
T-Mobile Austria / Käthe and andrea of support
When someone asks a company on the twitters about whether or not you store password in clear text, typically if they do, they try not to comment or admit it. But Käthe over in support T-Mobile Austria doubled down, brazenly admitting to and defending the plaintext storage of passwords, which makes them our hero. A couple of incredulous tweets and new articles later, and T-Mobile Austria unsurprisingly announced that they would stop storing passwords in cleartext. We can only hope to see Käthe again, presumably as VP/Marketing.
Yubico used information provided by Markus Vervier and Michele Orrù to report a security issue in Google Chrome, but did not credit them. They received and accepted a Bug Bounty from Google even though they were not the first to report the bug, as Markus and Michele had already reported the bug to Google through the Chrome Bug Tracker before they did. We actually think Yubico submitted themselves for lamest vendor response just to receive the pwnie.
This response has everything. Bitcoin. The word Unhackable. John McAfee. A 250k Bounty that is so narrowly constrained it is ridiculous. Reverse engineers posting that the wallet has no hardware security mechanisms (not even anti-tamper). Multiple people breaking the device. A video of John McAfee being displayed onscreen on the device. A tweet from bitfi claiming that rooting the device doesn't mean that it was hacked.
Pwnie for Most Over-hyped Bug
Awarded to the person who discovered a bug resulting in the most hype on the Internets and in the traditional media. Extra points for bugs that turn out to be impossible to exploit in practice.
EFAIL indicates it was a vulnerability in end-to-end encryption technology OpenPGP that leaked plaintext of encrypted emails. The EFF came out and said to disable or uninstall tools that do PGP encrypted email. Encryption was a luxury of the past, call you lawyer - your spouse is reading your email. This was presented at USENIX, had a website, logo, name, etc. Wired called is a Major, Divisive flaw. Wired UK said PGP was dead. The Washington Post and USA Today joined in.
However, it turns out it wasn't a crypto vulnerability or even an GPG vulnerability, but rather problems with email clients. GnuPG maintainters said it was overhyped. So in the end, it didn't affect too many people, and after all the app is called "Pretty Good Privacy". Is that like hacking a web application with a pretty good security assesment? Plus, Mutt wasn't even vulnerable.
Meltdown and Spectre were vulnerabilities in the way branch prediction worked which would allow attackers the ability to read memory. It was pretty awesome and affected most systems. But at some point, they hype train jumped the tracks a bit. The normally extremely accurate Fox News called it the worst computer bug in history. One of the researchers who discovered it agreed, calling it "probably one of the worst CPU bugs ever found". Bloomberg agreed, the Verge said it was a catastrophe.
But after all of this and the fact most device will never be updated, we still don't see exploitation of this in the wild. You'd think the worst bug in history would lead to at least a few computers getting hacked. Probably the biggest impact of this bug is the performance impact that its patch introduced.
Privlege escalation in beep. Yes they had a webpage and logo, but their page is actually an attack against branded vulnerabilities and is way funnier than pwnie award writeups. It made securityweek and a German researcher said beep should be killed in response. In the end, all 1.86% of systems that had beep installed were better off thanks to this research. It also makes a great white elephant gift.
This was a directory transversal attack in zip files. This vulnerability got some air time by threatpost, zdnet, slashdot and friends. It had its own webpage, name, and logo. But in the end it was just another directory transversal attack as described in phrack back in 1991. Perhaps this exploit was actually a deep lesson in how security hasn't improved in twenty years. Doubt it.
Plus everyone knows real exploits need to massage the heap and use return oriented programming.
Zipperdown (CVE: None)
The zipperdown describes a common programming error in up to 10% of iOS apps. This vulnerability has a logo, name, and multi-language website. The site lists some vulnearable apps, none of which I've ever heard of. However, it doesn't specify what the actual programming error is in order to "protect the end-users".
So in other words, it turns out that 10% of iOS apps are shit. I would have guessed it was more.
Pwnie for Best Song
What kind of awards ceremony does not have an award for best song?
The nominees for the Best Song will be shown at the ceremony this year.
Lifetime Achievement Award
Most hackers have the personality of a supermodel who does discrete mathematics for fun. Like mathematicians, hackers get off on solving very obscure and difficult to even explain problems. Like models, hackers wear a lot of black, think they are more famous than they are, and their career effectively ends at age 30. Either way, upon entering one's third decade, it is time to put down the disassembler and consider a relaxing job in management.
The winner of the Lifetime Achievement Award will be announced at the ceremony.