Pwnie Award Winners 2021

Best Client-Side Bug

Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting client-side bug.


Exploiting Samsung Secure Chip (CVE-2020-28341)

Researcher Names: Gunnar Alendal

Link: https://www.blackhat.com/us-21/briefings/schedule/#chip-chop---smashing-the-mobile-phone-secure-chip-for-fun-and-digital-forensics-23566

One chip stack-based buffer overflow to rule them all. Samsung Galaxy S20 got a secure chip hacked by a single dude, completely killing the chip security and exposing all its code and secrets. The exploit can write persistent changes to the firmware and completely ruin the future trust in this CC EAL 5+ certified chip.

Against a black box chip, no less, this discovery is exploited through the front door, aka the logical interface. The vulnerability can also be used to brute force the screen lock. Devastating for Samsung security.


Best Cryptographic Attack

Awarded to the researchers who discovered the most impactful cryptographic attack against real-world systems. A Pwnie Cryptography Award should represent a meaningful break in a system actually deployed. The attack can require a math Ph.D to understand its workings, but not to understand its impact, and it can’t require a data center in Utah to exploit.


NSA/CVE-2020-0601

Publication Citation: None (see link)

Researcher Names: None

Link: https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF

NSA discovered a bug in the verification of signatures in Windows which breaks the certificate trust chain.  This is the first time a crypto bug had real world impact, and NSA disclosed it through the vulnerability equities process (VEP).


Best Privilege Escalation Bug

Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting privilege escalation vulnerability. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.


Heap-based buffer overflow in Sudo!

Researcher Name: Baron Samedit - Qualys

Link: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt

CVE: CVE-2021-3156

A 10-year-old bug on a very popular security boundary. This bug is unique as it couldn't be fuzzed out and required knowledge of how the system interacts with sudo, making it a very clever find.


Best Server-Side Bug

Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.


Microsoft Exchange Server (CVE-2021-26855, CVE-2021-27065, and others TBD)

Researcher Names: Orange Tsai

Link: https://www.blackhat.com/us-21/briefings/schedule/#proxylogon-is-just-the-tip-of-the-iceberg-a-new-attack-surface-on-microsoft-exchange-server-23442

Microsoft Exchange Server was in vogue this spring, sporting not only critical vulnerabilities, such as ProxyLogon but also a whole new attack surface.

The new attack surface is based on a significant change in Exchange Server 2013, where the fundamental protocol handler, Client Access Service (CAS), splits into the frontend and backend. In this fundamental change of architecture, quite an amount of design debt was incurred, and, even worse, it introduced inconsistencies between contexts.

To showcase the beauty of this attack surface and the novel exploitation method, 7 vulnerabilities were released that consist of server-side bugs, client-side bugs, and crypto bugs. These attack vectors enable any unauthenticated attacker to uncover plaintext passwords and even execute arbitrary code on Microsoft Exchange Servers through port 443, which is exposed to the Internet by ~400K Exchange Servers.


Best Song

What kind of awards ceremony does not have an award for best song? What can we say, security researchers, engineers, and the entire community can be considered a “multi-talented” group of people.


The Ransomware Song

Composer(s) and/or Performer(s): @forrestbrazeal

Song Title: The Ransomware Song

Link: https://www.youtube.com/watch?v=d2dsI8NvdCU

A fantastic song about the (ab)use of math in creating the wonderful world of cyber security, with a catchy, well-composed, Broadway-style flair. Finally, a use for math!


Epic Achievement

Awarded to the researchers, attackers, defenders, executives, journalists, nobodies, randos, or trolls for pulling off something so truly epic that we couldn’t possibly have predicted it by creating an award category that did it justice.


Prank Calls for Truth

Alexey Navalny

Sometimes attribution is hard! Nation-state actors are complex, calculating, and hard to pin down. But other times, you can just call them up to ask. 

One prank call to Russia’s Federal Security Service (FSB) landed the confession needed to implicate them in the near-fatal nerve-agent poisoning of Alexey Navalny. As is tradition, Russia denies all allegations.

https://www.bellingcat.com/news/uk-and-europe/2020/12/21/if-it-hadnt-been-for-the-prompt-work-of-the-medics-fsb-officer-inadvertently-confesses-murder-plot-to-navalny/


Ilfak Guilfanov

Researcher Name: Ilfak Guilfanov

Link: https://twitter.com/ilfak

Author and founder of Hex-Rays and IDA which is celebrating its 30-year anniversary. Ilfak’s impact in vulnerability research should be obvious. IDA and Hex-Rays have had an epic impact on the security landscape and the thirty year history of driving the field forward is unprecedented. 


Lamest Vendor Response

Awarded to the vendor who mis-handled a security vulnerability most spectacularly.


Cellebrite Response to Moxie

Vendor Name: Cellebrite

Link: https://signal.org/blog/cellebrite-vulnerabilities/

What’s more lame than trying to burn down Signal (a beloved app) and failing to respond to bugs that Moxie sends you.


Most Epic Fail

This award is for the defenders who dared to wonder, “What could possibly go wrong?” For the investors who happily departed with eight-figure checks for a pitch presenting snake oil served over word salads on a fool’s gold platter. For the infosec vendors who adopted defense-by-deception as a marketing strategy. This award will honor a person or corporate entity’s spectacularly epic fail – the kind of fail that lets the entire infosec industry down in its wake. It can be a singular incident, marketing piece, or investment – or a smoldering trail of whale-scale fail.


PrintNightmare

Researcher Name(s): Microsoft

Link: https://blog.0patch.com/2021/07/free-micropatches-for-printnightmare.html

Description:

Microsoft tried to fix it but failed.  Then tried again to fix it but failed. They’re hopefully still trying. 2 patches, and it’s still kicking! It goes without saying that Microsoft identified CVE-2021-34527 as LPE; a little willpower and Twitter drama made it RCE. Microsoft came up with another patch (out-of-band) that doesn’t fix the RCE vector properly and doesn’t even try to fix the LPE anymore.


Most Innovative Research

Awarded to the researcher or team who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.


Speculative Probing: Hacking Blind in the Spectre Era

Researcher Names: Enes Goktas, Kaveh Razavi, Georgios Portokalidis, Herbert Bos, Cristiano Giuffrida at VUSec

Link: Speculative Probing: Hacking Blind in the Spectre Era

To defeat ASLR or more advanced fine-grained and leakage-resistant code randomization schemes, modern software exploits rely on information disclosure to locate gadgets inside the victim's code. In the absence of such info-leak vulnerabilities, attackers can still "hack blind" and derandomize the address space by repeatedly probing the victim's memory while observing crash side effects. Since the blind probes are commonly used to launch return-oriented programming attacks, the method is frequently referred to as Blind ROP (or BROP). Unfortunately for the attacker, BROP is only feasible for crash-resistant programs. However, the most high-value targets such as the Linux kernel are not crash-resistant: any probe that touches invalid memory will crash the system. So, blind attacks on the kernel are infeasible. Or so we thought.

The BlindSide attack shows that an attacker armed with a single memory corruption vulnerability in the Specter era can "hack blind" without triggering even a single crash. That is, given a simple buffer overflow in the kernel and *no* additional information leak vulnerability, BlindSide can mount BROP-style attacks in the *speculative execution domain* to repeatedly probe and derandomize the kernel address space, craft arbitrary memory read gadgets and enable reliable exploitation. This

works even in the face of solid randomization schemes, e.g., the recent FGKASLR or fine-grained schemes based on execute-only memory and state-of-the-art mitigations against Spectre and other transient execution attacks. Leaks are so 2019!


Most Under-Hyped Research

Like good magicians our industry will put a lot of razzle dazzle on the problems we can sell a solution for. But what about the things that are DONTFIX, can’t be scanned for, but are still amazingly cool and high impact? We (as an industry) sweep them under the rug and then they get caught in the UNDERHYPED pwnie awards!


21 Nails

The Qualys Research Team

Previously the Qualys research team found 3 bugs in the Exim mail server. Now they’ve come back with 21. Some of these bugs were considered unexploitable, but they made them so. Most of the bugs discovered have existed since the beginning of the Exim project and include 11 local vulnerabilities, and 10 remote vulnerabilities.

https://www.qualys.com/2021/05/04/21nails/21nails.txt