Introducing….

…your 2021 nominations!!! Thanks to our partners at Blackhat, the Awards will be broadcast live from the Blackhat main stage, August 4th 5:30pm PT! If you’re in town, come join us! For winners and prior winners who are in town, please contact us to join the afterparty.

Without further ado:

Best Client-Side Bug

Exploiting Samsung Secure Chip (CVE-2020-28341)

MOZILLA (CVE-2021-29955), INTEL (CVE-2021-0086), AMD (CVE-2021-26314)

RCE through CS:GO

Collecting Garbage for Profit

CVE-2021-1864

CVE-2020-8695


Best Cryptographic Attack

Kaspersky Password Manager: All your passwords are belong to us

Minerva

NSA/CVE-2020-0601


Best Privilege Escalation Bug

CVE-2020-27194

New old bugs in Linux kernel

Mistune

Even more Windows print spooler

Mangkhut exploit chain

Heap-based buffer overflow in Sudo!

Floating Point Value Injection

Sequoia: A deep root in Linux’s filesystem layer

The Windows Print Spooler

CVE-2021-1648


Best Server-Side Bug

RCE in Qmail (CVE-2005-1513)

PrintNightmare (CVE-2021-34527)

Microsoft Exchange Server (CVE-2021-26855, CVE-2021-27065, and others TBD)

21Nails (too many to list)

UAF in HTTP.sys (CVE-2021-31166)

(Another) Print Spooler Vulnerability (CVE-2021-1675)

ESXI RCE (CVE-2021-21974)


Best Song

Obieseance

The Zoom Song

Chase Login

The Ransomware Song

Ransomwave

Miss Configuration


Epic Achievement

Prank Calls for Truth

Ilfak Guilfanov

DEFCON Voting Village

Lighthouse

Jiashui Wang (aka Quhe)

Typhoon Mangkhut: One-click Remote Universal Root Formed with Two Vulnerabilities

Floating Point Value Injection (FPVI)


Lamest Vendor Response

Peloton Patches and Requires Subscription

Apple Response to Password Reset Vulnerabilities

Cellebrite Response to Moxie

Failure to Pay $1M Bounty

Giggle App Account and Public Information Disclosure Vulnerability


Most Epic Fail

PrintNightmare

Netgear router roundup

Canadian Shield iOS application is itself vulnerable

Samsung’s “secure” chip has a memcpy() buffer overflow

CREST / NCC Group – The Saga Continues

Voatz just generally having a bad one (year)

Unpatching the Patch


Most Innovative Research

APICraft: Fuzz Driver Generation for Closed-source SDK Libraries

Lord of the Ring(s): Side Channel Attacks on the CPU On-Chip Ring Interconnect Are Practical

An Analysis of Speculative Type Confusion Vulnerabilities in the Wild

Rage Against the Machine Clear: A Systematic Analysis of Machine Clears and Their Implications for Transient Execution Attacks

Speculative Probing: Hacking Blind in the Spectre Era


Most Under-Hyped Research

SMASH: Synchronized Many-sided Rowhammer Attacks from JavaScript

Windows 7 blind TCP/IP Hijacking

21 Nails

Supply Chain Attack on Composer