Pwnie Awards 2017

Winners of the 2018 Pwnie Awards

Pwnie for Best Server-Side Bug

Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.

  • Intel AMT Remote Vulnerability

    Credit: Maksim Malyutin of Embedi

    Intel fails to understand how strncmp works in a critical piece of authentication code that runs at the hardware level on their chips, which the entire community told them was probably a bad idea, but thanks to monopoly power and basic economics, they did anyway. The exploit, for those of you who forgot how Digest Authentication works, is to send exactly nothing to the user_response, since any two zero length strings are pretty equivalent.

    This lets attackers read and write files, change boot settings, and otherwise do things to the computer even your NEXT GENERATION ANTI-VIRUS (with 100% zero day protection!) can't hope to prevent.

Pwnie for Best Client-Side Bug

Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting client-side bug.

  • The 12 Logic Bug Gifts of Christmas

    Credit: G. Geshev and Rob Miller

    (Sing along to the tune of "I would walk 500 miles" by the Pretenders)

    But I would exploit 6 logic bugs, and I would exploit 6 logic bugs more, just to be the guys who exploited 12 logic bugs, when we also could have used less than four (memory corruption bugs).

Pwnie for Best Privilege Escalation Bug

Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting privilege escalation vulnerability. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.

  • Meltdown and Spectre

    Credit: Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, Mike Hamburg, Jann Horn, Anders Fogh

    I think we all knew that Spectre and Meltdown were going to get nominated for Best Priv Esc bugs this year. These gamechanging processor flaws changed the game for vuln release, and absolutely ruined IT staff's first week back from the holidays. Based on how the industry responded, Meltdown was more preciently named.

Pwnie for Best Cryptographic Attack

Awarded to the researchers who discovered the most impactful cryptographic attack against real-world systems, protocols, or algorithms. This isn't some academic conference where we care about theoretical minutiae in obscure algorithms, this category requires actual pwnage.

  • Return Of Bleichenbacher’s Oracle Threat

    Credit: Hanno Böck, Juraj Somorovsky, and Craig Young

    Consider Hanno Böck’s M.O.: you’ve got some extremely basic cryptographic vulnerability that no academic team is paying attention to anymore, because who could be stupid enough to have that problem anymore? Hanno takes the guesswork out of this and just asks the Internet: is it possible that people are actually running web servers that use zero as their AES-GCM nonce? And, long story short, later that year Hanno and Sean Devlin are on stage at Black Hat giving a talk whose slides are hosted on the website of an unsuspecting GCHQ. This is just how Hanno works.

    So, at some point last year, Hanno and friends decided to ask the Internet another question: do web servers really still have RSA padding oracles, the kind Daniel Bleichenbacher discovered back in 1998? It’s 20 years later! We’ve dealt with that problem by now, right?

    And the result is a Bleichenbloodbath.

    They’re publishing documents signed with Facebook’s private key (not once, but twice, breaking Facebook’s fix for the bug). They’ve killed the RSA on F5 Big-IP boxes. Does anyone still use Radware? I guess they do, because the ROBOT team broke those. Citrix, too. Cisco’s ACE boxes are broken — Cisco won’t fix them, mind you, because they’re out of support now, but, oh shit, hold on, CISCO.COM is vulnerable too! Paypal’s vulnerable! A chunk of the Alexa top million. BouncyCastle breaks. The custom non-OpenSSL libraries like WolfSSL and MatrixSSL break. Erlang is broken. Cavium is broken. Unisys ClearPath MCP is broken! The MCP! It’s bananas.

    The paper is bananas, too. They came up with an released an efficient scanning technique to spot BB’98 flaws, and in developing it discovered a bunch of new tricks for spotting BB’98 in TLS implementations. They released the scanner on Github. And a test tool on their website. And a CTF.

Pwnie for Most Innovative Research

Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.

  • Spectre/Meltdown

    Credit: Jann Horn, Paul Kocher, Daniel Genkin, Mike Hamburg, Moritz Lipp, Yval Yarom, Werner Haas, Thomas Prescher, Daniel Gruss, Stefan Mangard, Michael Schwarz

    Remember when ASLR stopped exploitation? Neither do we, but we definitely did not anticipate this new era of hardware-based memory disclosure oracles. Given the overwhelming amount of possibilities opened up by flirting-up branch predictors and measuring cache retrieval, there have probably been new variants of Spectre announced since you began reading this sentence. Don't mind the sound of the fans humming as you read, and thank you visiting the Pwnies nominations page!

Pwnie for Lamest Vendor Response

Awarded to the vendor who mis-handled a security vulnerability most spectacularly.

  • Bitfi

    Credit: Lots of poeple

    This response has everything. Bitcoin. The word Unhackable. John McAfee. A 250k Bounty that is so narrowly constrained it is ridiculous. Reverse engineers posting that the wallet has no hardware security mechanisms (not even anti-tamper). Multiple people breaking the device. A video of John McAfee being displayed onscreen on the device. A tweet from bitfi claiming that rooting the device doesn't mean that it was hacked.

Pwnie for Most Over-hyped Bug

Awarded to the person who discovered a bug resulting in the most hype on the Internets and in the traditional media. Extra points for bugs that turn out to be impossible to exploit in practice.

  • Holey Beep (CVE-2018-0492)


    Privlege escalation in beep. Yes they had a webpage and logo, but their page is actually an attack against branded vulnerabilities and is way funnier than pwnie award writeups. It made securityweek and a German researcher said beep should be killed in response. In the end, all 1.86% of systems that had beep installed were better off thanks to this research. It also makes a great white elephant gift.

Lifetime Achievement Award

Most hackers have the personality of a supermodel who does discrete mathematics for fun. Like mathematicians, hackers get off on solving very obscure and difficult to even explain problems. Like models, hackers wear a lot of black, think they are more famous than they are, and their career effectively ends at age 30. Either way, upon entering one's third decade, it is time to put down the disassembler and consider a relaxing job in management.

  • Michał Zalewski

    One of the Pwnie judges happens to think that lcamtuf’s book, Silence on the Wire, is one of the best examples of what it means to “hack”. It is fitting that a lifetime achievement award nomination goes to someone who embodies the technical spirit of a true hacker.

    But, it’s not just a good book that puts Zalewski up for this award. Michal has been a prolific contributor to the security community for decades. His tools and contributions often approach problems from very different than the rest of the field. This results in significant innovation and novelty.

    p0f changed how we look at our network traffic and pcaps.

    AFL alone may be worthy of a lifetime achievement award (it was the underlying engine for several of the DARPA Cyber Grand Challenge finalists).

    Michal enjoyed his time at Google, and who wouldn’t have using the largest corpus of fuzzing input in the world and being a source of “very reasonably priced web client exploits” (according to his prior boss). We’ve even heard that he was nice enough to send some people USB Lava-lamps for anniversaries (we would think twice about plugging those in…).

Nominations opened.
Nominations closed.
The list of nominees is announced.
Awards ceremony at the BlackHat USA conference in Las Vegas.
Awards Ceremony
when Wed, Aug 8th 2018
where BlackHat USA 2018, Lagoon JK (Level 2), Mandalay Bay, Las Vegas