Pwnie Awards 2017

The 2018 Pwnie Award For Best Server-Side Bug

Intel AMT Remote Vulnerability

Maksim Malyutin of Embedi

Intel fails to understand how strncmp works in a critical piece of authentication code that runs at the hardware level on their chips, which the entire community told them was probably a bad idea, but thanks to monopoly power and basic economics, they did anyway. The exploit, for those of you who forgot how Digest Authentication works, is to send exactly nothing to the user_response, since any two zero length strings are pretty equivalent.

This lets attackers read and write files, change boot settings, and otherwise do things to the computer even your NEXT GENERATION ANTI-VIRUS (with 100% zero day protection!) can’t hope to prevent.