Pwine Award Winners 2020

Best Server-Side Bug

Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.


BraveStarr – A Fedora 31 netkit telnetd remote exploit

@ronaldhuizer

A buffer overflow vulnerablity in telnetd that allows remote attackers to execute arbitrary code via short writes or urgent data. Wide application including IOT and embedded devices.

BraveStarrCVE-2020-10188


Best Privilege Escalation Bug

Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting privilege escalation vulnerability. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.


checkm8 – Epic JailBreak

axi0mX

Unpatchable USB bootrom exploit for a billion Apple devices: checkm8! This USB exploit works on 7 generations of Apple silicon (A5, A6, A7, A8, A9, A10, A11), including iPhones, iPads, Apple Watches, and Apple TV. There are public implementations of this exploit for all of these chips, but not all of them are supported by ipwndfu. This is the exploit used by the checkra1n jailbreak.

For Reference: https://twitter.com/i/web/status/1177542201670168576


Epic Achievement

Awarded to the researchers, attackers, defenders, executives, journalists, nobodies, randos, or trolls for pulling off something so truly epic that we couldn’t possibly have predicted it by creating an award category that did it justice.


Guang Gong

A comprehensive attack surface analysis of remotely compromising Android on Pixel devices, including a one-click exploit chain without ROP, exploiting three vulnerabilities (CVE-2019-5870, CVE-2019-5877, CVE-2019-10567).

Remotely Rooting Modern Android Devices


Best Cryptographic Attack

Awarded to the researchers who discovered the most impactful cryptographic attack against real-world systems. A Pwnie Cryptography Award should represent a meaningful break in a system actually deployed. The attack can require a math Ph.D to understand its workings, but not to understand its impact, and it can’t require a data center in Utah to exploit.


Zerologon

Tom Tervoort

The Zerologon vulnerability (CVE-2020-1472) made use of an all-zero IV in the AES-CFB8 implementation used by Microsoft’s Netlogon authentication protocol allows an attacker to easily spoof credentials. An attacker can use this attack to change any Active Directory password and become Domain Admin.

CVE-2020-1472


Best Client-Side Bug

Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting client-side bug.


RCE on Samsung Phones via MMS

Mateusz Jurczyk

Zero-click MMS attack, remote code execution on Samsung devices without user interaction. Further information: Blog Post Chromium Bug Report GitHub – SkCodecFuzzer Demo

RCE on Samsung Phones via MMS


Most Under-Hyped Research

Like good magicians our industry will put a lot of razzle dazzle on the problems we can sell a solution for. But what about the things that are DONTFIX, can’t be scanned for, but are still amazingly cool and high impact? We (as an industry) sweep them under the rug and then they get caught in the UNDERHYPED pwnie awards!


Vulnerabilities in System Management Mode (SMM) and Trusted Execution Technology (TXT)

Gabriel Negreira Barbosa, Rodrigo Rubira Branco (BSDaemon), Joe Cihula (Intel)

Two vulnerabilities in the Intel VTd/IOMMU (CVE-2019-0151,0152) allow an attacker to bypass memory protections and execute code in SMM and TXT. The impact is way bigger than the attention it received. It is a CPU issue that is independent of the firmware’s SMM implementation so it could be used for installing firmware-agnostic SMM rootkits. It also allows code execution inside a TXT authenticated code module (ACM).

Vulnerabilities in System Management Mode (SMM) and Trusted Execution Technology (TXT)


Most Innovative Research

Awarded to the researcher or team who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.


TRRespass: When Memory Vendors Tell You Their Chips Are Rowhammer-free, They Are Not.

Pietro Frigo, Emanuele Vannacci, Hasan Hassan, Victor van der Veen, Onur Mutlu, Cristiano Giuffrida, Herbert Bos, Kaveh Razavi

After an initial onslaught of high-profile RowHammer attacks, CPU and DRAM vendors scrambled to deliver what was meant to be the ultimate hardware solution against the RowHammer problem: Target Row Refresh (TRR). In fact, it was considered powerful enough that the DRAM vendors started advertising their DDR4 as absolutely “Rowhammer free”. Except they were wrong. Two years of reverse engineering revealed that TRR is not protecting us from Rowhammer at all. Once it became clear how the defense worked in detail, it also became trivial to bypass it and it turns out that so-called Rowhammer-free DRAM chips, from all major vendors, are even more vulnerable to Rowhammer than older DDR3 memory. Since firmware fixes are not possible for memory chips, software solutions are have prohibitive overheads, and once deployed DRAM stays in use for years, Rowhammer will remain a major threat for a long time still. The research community awarded the effort with a best paper award at the IEEE Symposium on Security & Privacy.

https://www.vusec.net/projects/trrespass/


Most Epic Fail

This award is for the defenders who dared to wonder, “What could possibly go wrong?” For the investors who happily departed with eight-figure checks for a pitch presenting snake oil served over word salads on a fool’s gold platter. For the infosec vendors who adopted defense-by-deception as a marketing strategy. This award will honor a person or corporate entity’s spectacularly epic fail – the kind of fail that lets the entire infosec industry down in its wake. It can be a singular incident, marketing piece, or investment – or a smoldering trail of whale-scale fail.


Microsoft

Microsoft’s implementation of elliptic curve signatures allowed attackers to generate private pairs for the public keys of any legitimate signer. This enabled spoofing of any HTTPS website or signed binary on affected versions of Windows. We wish Microsoft was as lenient when choosing the time of updates, as it was for choosing generator points!

CVE-2020-0601


Best Song

What kind of awards ceremony does not have an award for best song? What can we say, security researchers, engineers, and the entire community can be considered a “multi-talented” group of people.


Lady Ada – Powertrace (Pokerface Song Parody / PLATYPUS Paper Teaser)

Rebekka Aigner, Daniel Gruss, Manuel Weber, Moritz Lipp, Patrick Radkohl, Andreas Kogler, Maria Eichlseder, ElTonno, tunefish, Yuki, Kater

Lady Ada is a computer security professional. She is very interested in the new PLATYPUS Attack and wants to reproduce the results from the paper. She points out that power-side channel attacks that do not require physical access are a game changer. However, she also knows that she is secure as she has deployed the countermeasures already. Hence, she is not worried about PLATYPUS Attacks on her system.

Powertrace


Lamest Vendor Response

Awarded to the vendor who mis-handled a security vulnerability most spectacularly.


Daniel J. Bernstein

Daniel J. Bernstein

In a world, where bug bounties are mostly about whining on social media about duplicates (sorry, you are not the only one who can find open redirects), a generous offer from the last millenium still reminds us of a more civilized age. And what can match such a great incentive better, than a beautiful exploit, that took 15 years and several generations of hardware to develop? Too bad we’ve lost this marker of excellence, because the exploit does not work on the issuers configuration. 4294967296 array elements ought to be enough for everyone, right?

CVE-2005-1513