Active Nominations
As the saying goes, “you can crank an engine until the cows come home, but it won’t start without fuel.”
So thanks to everyone who has submitted nomination(s) for the 2020 Pwnie Awards! I’m not sure how this directly relates, but it’s without a doubt a great quote.
Anyways, check out this year’s submissions from all of you lovely people:
- Zero-Click iMessage Exploit
- Remote Memory Corruption Bug in MacOS Bluetooth
- RCE on Samsung Phones via MMS
- TPM Fail: TPM Meets Timing and Lattice Attacks
- The Curious Case of WebCrypto Diffie-Hellman on Firefox - Small Subgroups Key Recovery Attack on Diffie-Hellman
- Zerologon
- Raccoon Attack
- Cellebrite Good Times, Come On
- Evilsocket and pwnagotchi contributors
- David Wang, Stanislaw Skowronek
- Guang Gong
- Qualys Security Advisory Team
- French Police
- axi0mX
- Graham Clark
- Ben Nassi, Yaron Pirutin, Adi Shamir, Yuval Elovici, Boris Zadov
- Andy Gill
- Matthew Bergin (Level)
- Exploiting the Wi-Fi Stack on the Tesla Model S
- Exploiting the "noowners" Flag -- APFS Privilege Escalation
- Deceiving Android's GPU Driver to Remotely Root Android Devices
- Local Privilege Escalation in OpenBSD's dynamic loader
- ZombieVPN, Breaking That Internet Security
- checkm8 - Epic JailBreak
- Windows ALPC Elevation of Privilege Vulnerability
- Pulse Connect Secure, Pulse Policy Secure, Pulse Secure Desktop Client RCE
- Zerologon
- BraveStarr – A Fedora 31 netkit telnetd remote exploit
- HAProxy: Out-of-Bounds Write in HTTP2 HPACK Dynamic Table
- Remote Code Execution in Citrix ADC
- Dabman & Imperial (i&d) - Multiple Vulnerabilities
- RCE in OpenSMTPD
- RCE in OpenSMTPD's Default Install
- Remote Code Execution in qmail
- Trend Micro
- IBM
- Open Source Security, Inc -- grsecurity/PaX
- CHAL-TEC GmbH, aka Electronic Star, aka Auna
- Daniel J. Bernstein
- WECON Technology Co., Ltd.
- Giggle
- Intel Corporation
- Confessions of a Hacker known as Kingpin - Joe Grand Story
- R57
- 5G ft. ytcracker
- I Will Survive
- Very Serious Problems (The Internet Has Problems)
- KJC Mixtape
- Lady Ada - Powertrace (Pokerface Song Parody / PLATYPUS Paper Teaser)
- Dark Web
- WHO DO YOU WORK FOR
- BlackHat
- Windows Defender c/o Microsoft
- Microsoft
- KuCoin
- NCC Group
- Oracle WebLogic Server c/o Oracle
- InternalBlue, Spectra, ToothPicker, Frankenstein
- BaseSAFE: Baseband SAnitized Fuzzing through Emulation
- Hidden Propery Abusing in Node.js
- Web Cache Deception in the Wild
- Lamphone
- DNS Cache Poisoning Attack Reloaded
- How to Exfiltrate Internal Information Using Web Proxies
- Vancouver Hospitals Pager Breach
- TRRespass: When Memory Vendors Tell You Their Chips Are Rowhammer-free, They Are Not.
- NetCAT: Practical Cache Attacks from the Network.
- LimitedResults
- Cisco Adaptive Security Appliance Vulnerabilities
- Vulnerabilities in System Management Mode (SMM) and Trusted Execution Technology (TXT)
- Cellebrite Good Times, Come On
Best Client-Side Bug:
Best Cryptographic Attack:
Epic Achievement:
Best Privilege Escalation Bug:
Best Server-Side Bug:
Lamest Vendor Response:
Best Song:
Most Epic FAIL:
Most Innovative Research:
Most Under-Hyped Research: