Pwnie Award Nominees
- Best Server-Side Bug
- Best Client-Side Bug
- Mass 0wnage
- Most Innovative Research
- Lamest Vendor Response
- Most Overhyped Bug
- Best Song
- Most Epic FAIL
- Lifetime Achievement Award
We received 134 submissions for the Pwnie Awards, of which we've selected 37 nominees. Please select an award category from the list above to see the nominees.
The winners of the Pwnie Awards were announced on August 6, 2008 at a ceremony at the BlackHat USA conference in Las Vegas.
Pwnie for Best Server-Side Bug
Awarded to the person who discovered the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.
-
Windows IGMP kernel vulnerability (CVE-2007-0069)
Not only did Alex Wheeler and Ryan Smith lay claim to a lucky CVE number, they also laid down the law with a remote kernel code execution vulnerability that was exploitable in the default firewall configuration on Windows XP, 2003 and Vista. Despite the SWI team's claim that its exploitation is "unlikely in real-world conditions", Kostya Kortchinsky was able to develop a highly reliable exploit for this vulnerability.
-
NetWare kernel DCERPC stack buffer overflow
At REcon 2008, Nicolas Pouvesle demonstrated some amazing NetWare-Fu with his kernel exploitation techniques and staged payloads for a stack overflow in the DCERPC stack in the NetWare kernel. Besides impressing everyone at the conference (not to mention all of the Quebecois women around Montreal), he also struck fear into the hearts of NetWare administrators everywhere. All three of them.
This vulnerability also shows how there can often be similar vulnerabilities in different implementations of the same functionality. And when a vulnerability in one implementation is found and fixed, similar bugs in other implementations may go unnoticed for a while. What does it take to make a vendor like Novell audit their DCERPC code for simple vulnerabilities? A widespread worm exploiting a stack overflow in the Microsoft DCERPC stack, crippling large portions of the Internet, and supposedly causing a blackout of the entire East Coast of the USA? Apparently not.
-
ClamAV Remote Command Execution (CVE-2007-4560)
This vulnerability was a remote command injection in the recipient e-mail address of an e-mail message examined by the ClamAV open-source AntiVirus scanner. In a nod to 1993, ClamAV called sendmail with popen(), placing the recipient e-mail address right there in the command. With open source anti-virus products, Linus' Law clearly does hold: "Given enough eyeballs, all bugs are shallow", even the ones that we knew about fifteen years ago.
-
SQL Server 2005 (CVE-2007-4560)
Just in time for the Pwnie nominations to close, Brett Moore and Microsoft bring you the first security bulletin affecting SQL Server 2005. This vulnerability, exposed to an unprivileged SQL user, occurs when SQL Server attempts to restore a corrupt database backup. The database backup may be hosted on a remote SMB or WebDAV server, making this a remote code execution exploit that can also be triggered through a SQL injection vulnerability.
The best part is from Insomnia Security's advisory:
SQL server appears to use its own dynamic heap management, which makes exploitation different from a standard heap overflow. Using a custom heap management routines means that the standard heap protections mechanisms are not in place.
If this vulnerability wins a Pwnie, David Litchfield has promised to come up on stage and present it to Brett.
Pwnie for Best Client-Side Bug
Awarded to the person who discovered the most technically sophisticated and interesting client-side bug. These days, ‘client’ is pretty much synonymous with ‘web browser’, but don't forget about all the media player integer overflows!
-
Multiple URL protocol handling flaws
Not just a few vulnerabilities, but an entire attack vector, URI protocol handler flaws pitted web browser and application vendors against each other as one web browser was exploitable through another and each vendor blamed the other for the vulnerability.
-
Slirpie
Presented at Toorcon 2007, this attack used DNS Rebinding to bypass the Same Origin Policy and build a tunnel into a remote network using only a lured web browser (and its associated grab bag of Web 2.0 technologies like Flash, Java, and JavaScript). This vulnerability can best be described as a design bug in the Web 2.0 and we're all waiting for it to be fixed in Web 2.0 Service Pack 1.
-
Safari carpet bomb (CVE-2008-2540)
Nitesh Dhanjani discovered a design error in Safari that allows an attacker to automatically download files to the user's configured download directory (~/Downloads on Leopard, the desktop on previous versions of OS X and Windows). This can be used for a variety of attacks. First, you can litter the user's desktop with files or drop malware onto their desktop, hoping that the user will click run it. Or you can just let Internet Explorer load a planted DLL automatically. This vulnerability also has the dubious distinction of bringing the term "blended threat" into the security vernacular.
-
Adobe Flash DefineSceneAndFrameLabelData vulnerability (CVE-2007-0071)
This vulnerability requires no introduction. Independently discovered by both Mark Dowd and wushi of team509, this vulnerability showed how what appeared at first to just be a NULL-pointer dereference could be manipulated into yielding reliable cross-version remote code execution . For an excellent summary of the vulnerability and discussion on proper handling of malloc() return values, see the Matasano blog .
This vulnerability was also used in a mass SQL-injection assisted malware attack in late May 2008 that resulted in much security industry drama and at least a few stolen World Of Warcraft passwords. The fact that Adobe took 15 months to patch this vulnerability suggests that they believed it to be a non-exploitable NULL-pointer dereference. Oops.
-
QuickTime (CVE-2008-*)
No, this nomination is not for a vulnerability in Apple QuickTime, it is for QuickTime itself as a client-side vulnerability. A quick search of CVE entries yields 62 vulnerabilities in Apple QuickTime just in the last two years. The discoverer of the next QuickTime bug wins a free trip to the salad bar. Who would have thought that putting code originally written in the early nineties into a web browser would be a bad idea?
Pwnie for Mass 0wnage
Awarded to the person who discovered the bug that resulted in the most widespread exploitation. Also known as ‘Pwnie for Breaking the Internet.’
-
Windows IGMP kernel vulnerability (CVE-2007-0069)
Not only did Alex Wheeler and Ryan Smith lay claim to a lucky CVE number, they also laid down the law with a remote kernel code execution vulnerability that was exploitable in the default firewall configuration on Windows XP, 2003 and Vista. Despite the SWI team's claim that its exploitation is "unlikely in real-world conditions", Kostya Kortchinsky was able to develop a highly reliable exploit for this vulnerability.
-
An unbelievable number of WordPress vulnerabilities (CVE-2008-*)
It seems like hardly a week goes by without a new vulnerability in WordPress or one of its many plugins. Many of them are actively being exploited to own popular WordPress blogs and use them to serve spam or client-side exploits to unsuspecting visitors. The popularity of WordPress combined with the abysmal security practices of WordPress plugin developers places the entire Internet at risk and is worthy of a nomination.
-
Debian's random number generator with 15 bits of entropy (CVE-2008-0166)
The crippled OpenSSL random number generator in Debian lead to numerous weak SSL and SSH keys, allowing attackers to break RSA encryption on an unprecedented scale. Since the flaw was announced, Luciano Bello, Maximiliano Bertacchini, and Paolo Abeni have released a patch to Wireshark that decrypts SSL sessions (bypassing PFS) that involve one of the weak keys
-
XSS of the entire web for users of Earthlink, Comcast and Verizon
Dan Kaminsky discovered that many ISPs that hijack non-existent domains to serve ads are vulnerable to cross-site scripting attacks, allowing an attacker to compromise any website on the Internet. Dan gets bonus points for using a Rickroll to demonstrate the bug.
-
SQL injection in more than 500,000 web sites
SQL injection attacks are not new, but this year we saw an upsurge in the number of automated attacks against vulnerable websites. Reportedly more than half a million websites were compromised.
Pwnie for Most Innovative Research
Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.
-
Application-Specific Attacks: Leveraging the ActionScript VM
Mark Dowd exploited a NULL pointer dereference in the Flash runtime to desynchronize the ActionScript bytecode verifier, inject malicious bytecode instructions and finally execute x86 shellcode. The combination of techniques used by Dowd is beyond anything seen before. The details of the exploit are published in a 25-page paper and explained for non-exploit writers in a Matasano blog post.
-
Splitting Gemini
This talk demonstrates a post-root technique for altering the OS scheduler to remove and control a core from a multi-core CPU. The ability to completely control both the scheduler and an entire core puts an attacker in a unique and defensible position for maintaining access to a system.
-
Lest We Remember: Cold Boot Attacks on Encryption Keys
This paper proved that DRAMs used in most modern computers retain memory contents after powering off, including data like passwords and encryption keys, for much longer than most people believed. The authors developed new techniques for recognizing and recovering encryption keys even after some bits have been lost due to memory decay. The impact of the research was demonstrated with software to break the full disk encryption implementations on Windows, OS X and Linux.
-
Defeating a VM packer with a decompiler written in OCaml
This work describes an innovative attack on virtualizing protections. The idea is to create a compiler with a poly/metamorphic front-end that deobfuscates and recompiles the proprietary bytecode back into x86. The compiler was implemented in OCaml and successfully defeated multiple virtualizing protectors.
-
Heaps about Heaps
Brett Moore released the first paper introducing new Windows heap exploitation techniques in a couple of a years. His work shows that the safe unlinking and heap cookies in Windows Server 2003 can be bypassed and proved this with a Citrix Metaframe Server exploit.
Lamest Vendor Response
Awarded to the vendor who mishandled a security vulnerability most spectacularly.
-
McAfee's "Hacker Safe" certification program
XSS vulnerabilities in multiple sites certified as "Hacker Safe"
More than 60 web sites certified to be "Hacker Safe" by McAfee's ScanAlert service were reported as vulnerable to XSS attacks, including the ScanAlert web site itself. Joseph Pierini, director of enterprise services for the "Hacker Safe" program, maintains that XSS vulnerabilities can't be used to hack a server:
Cross-site scripting can't be used to hack a server. You may be able to do other things with it. You may be able to do things that affect the end-user or the client. But the customer data protected with the server, in the database, isn't going to be compromised by a cross-site scripting attack, not directly.
Another McAfee quote that is certain to become a timeless hacker classic is "we go in like a super hacker".
-
Linus Torvalds
Linux kernel non-disclosure policy
Proving that open-source security has not improved much since it relied on the idea of getting enough eyeballs to make bugs shallow, Linus Torvalds demonstrated his incompetence at handling security issues by defending silent patching of security vulnerabilities in the Linux kernel:
So I personally consider security bugs to be just "normal bugs". I don't cover them up, but I also don't have any reason what-so-ever to think it's a good idea to track them and announce them as something special.
Adding insult to injury:
Btw, and you may not like this, since you are so focused on security, one reason I refuse to bother with the whole security circus is that I think it glorifies - and thus encourages - the wrong behavior.
It makes "heroes" out of security people, as if the people who don't just fix normal bugs aren't as important.
For more background on the current Linux security fiasco, see this thread on Dailydave.
-
Wonderware
Response to SCADA denial of service vulnerability
CORE security reported a denial of service vulnerability in Wonderware's SCADA software. It is no wonder that the vendor took a long time to even acknowledge the vulnerability and their response indicated total incompetence:
2008-01-30: Initial contact email sent by to Wonderware setting the estimated publication date of the advisory to February 25th.
2008-01-30: Contact email re-sent to Wonderware asking for a software security contact for Wonderware InTouch.
2008-02-06: New email sent to Wonderware asking for a response and for a software security contact for Wonderware InTouch.
2008-02-28: Core makes direct phone calls to Wonderware headquarters informing of the previous emails and requesting acknowledgment of the notification of a security vulnerability.
2008-02-29: Vendor asks for a copy of the proof of concept code used to demonstrate the vulnerability.
2008-03-03: Core sends proof-of-concept code written in Python.
2008-03-05: Vendor asks for compiler tools required to use the PoC code.
2008-03-05: Core sends a link to http://www.python.org
-
NXP (formerly Philips Semiconductors)
Lawsuit against researchers who broke the Mifare Classic smart cards
NXP has sued Radboud University Nijmegen (in the Netherlands), to block publication of a research paper, "Dismantling Mifare Classic", detailing an attack against the RFID chips used in many public transport systems around the world.
The response from Transport of London to the news of successful cloning of Oyster cards includes this priceless comment:
This was not a hack of the Oyster system. It was a single instance of a card being manipulated.
Update: This story has a happy end with the lawsuit being dismissed by a Dutch court on July 18, 2008.
Pwnie for Most Overhyped Bug
Awarded to the person who discovered a bug resulting in the most hype on the Internets and in the mainstream media. Bonus points for bugs that turn out to be impossible to exploit in practice. Also known as ‘Pwnie for Pwning the Media.’
-
Unspecified DNS cache poisoning vulnerability (CVE-2008-1447)
Dan Kaminsky is credited with discovering some unspecified vulnerabilities in DNS that allow for cache poisoning on a massive the-intarweb-tubes-will-burst-and-flood-your-basement scale. There has been massive media attention over this vulnerability and a large amount of backlash in the security community over the lack of details. When the full details of the vulnerability are revealed at BlackHat, the masses will decide whether the hype and secrecy were worth it. And, more importantly, the Pwnie Judges will vote on whether Dan gets the Pwnie for Most Overhyped Bug.
-
BT Home Hub authentication bypass (CVE-2008-5383 and CVE-2008-5384)
GNUCITIZEN and pagvac initiated a media blitz over this vulnerability which allows a malicious web page to use a CSRF attack to bypass authentication and modify the settings on the most popular home DSL router in the UK. This could allow a remote site to disable your firewall, modify your DNS server settings, or enable remote administration of your router. The bug was real, but it was accompanied by such a massive media campaign that it surely deserves a nomination.
-
Adobe Flash Player non-0day remote code execution (BID 29386)
Those sirens that you heard in the middle of the night on May 28, 2008 weren't an air raid or tornado alert. No, they were because Symantec had elevated the ThreatCon to chartreuse! Symantec observed active exploitation of a zero-day vulnerability in Adobe Flash. It turned out, however, that it wasn't a zero-day bug at all, but instead an exploit for the DefineSceneAndFrameLabelData vulnerability patched a month prior.
Pwnie for Best Song
What kind of awards ceremony does not have an award for best song? Let's see if anybody can beat Derek's Twas the night before Christmas.
-
Packin' The K!
On hackers we put the hurtski,
we use Kaspersky, we pack the K! -
The Data Song (Get Me LiveSecurity)
A departure from the traditional ego-driven security songs, The Data Song tells the story from the perspective of the data who desperately needs protection. Sung in a sultry female voice:
Gimme a place of shelter, baby,
that can weather any storm.
I'm your network data, baby,
gotta keep me safe and warm! -
Clockwork
A hip-hop anthem chiding script kiddies for using skills they haven't earned.
Fuckin circus kids, got your worthless scripts
but you couldn't own a box if you purchased it.
You lookin' nervous, watchin' on your servers kid
but I pop you client side - while you're surfin' shit! -
Symantec Song
We received a copy of the following email sent to Symantec:
Yo Symantec ballerz,
I've been using your products for some time and I find them to be the flyest dopest freshest AV products for protecting my internet mhz from the hackerz.
So fly they make a brother just wanna kick a verse:
(please feel free to use this in your advertising campaigns)
In AV we get much respect
Wooaaahar, got your 0days in check
Forget McAfee, they get stepd on
bugs in their engine aint even a blip on threatcon
Connected, Protected, security2.0 we rep it
Advanced analysis not just virus defs kid
we got 3 types of crazy and 60 of ill
we already got 50 ways to detect blue-pill
Hacker problems? all in check
endpoint sec: sygate and symantec
From macOSX to windows, same thing go's
we pin those wack hackers
sigs for un-packers
malware lacks tactics
go home and practice young fellow
no mal code gets past
THE BIG YELLOW
Number 1 for AV software, dont dare
compare, we're the hardest
look at the percentage share we got of this market
corporate servers or home users
install sophos if u want something useless
symantec kingz shit on all internet abusers
we run this shit like electricity in computers
get your thorts on straight mate
we got peter norton, AV HEAVY WEIGHT
Thanks for your time.
Your Pal,
Doc Deazy.
Pwnie for Most Epic FAIL
Sometimes giving 110% just makes your FAIL that much more epic. And what use would the Internet be if it wasn't there to document this FAIL for all time?
This award is to honor a person or company's spectacularly epic FAIL.
-
Todd Davis, Lifelock CEO for posting his SSN on the web
Todd Davis, CEO of a fraud-prevention company called Lifelock, had publicly posted his Social Security number (457-55-5462) to show his confidence in the services offered by his company. Of course, a clever marketing stunt does not mean that the protection is actually worth anything. As expected, it did not take long for Davis' identity to get stolen: somebody in Texas got $500 from an online payday loan company using Davis' SSN.
-
Debian for shipping a backdoored OpenSSL library for two years (CVE-2008-0166)
On May 2nd, 2006 Kurt Roeckx commented out two very important lines of code in the OpenSSL pseudo-random number generator (PRNG). The reason? Valgrind and Purify complained about the use of uninitialized data in the function that seeded the PRNG. By commenting out these two lines of code, the randomness of all cryptographic keys generated by the Debian OpenSSL package was reduced to about 15 bits, or less than 32,768 unique keys in practice.
By crippling the PRNG in the OpenSSL library, not only were all cryptographic keys generated on Debian-based systems suspect, but all cryptographic operations performed by these systems as well. Since the flaw was announced, Luciano Bello, Maximiliano Bertacchini, and Paolo Abeni have released a patch to Wireshark that decrypts SSL sessions (bypassing Perfect Forward Secrecy) that involve one of the weak keys. To this date, Kurt Roeckx still hosts vulnerable versions of the OpenSSL library in his personal directory on the Debian servers and has not been stripped of his Debian developer status.
-
Windows Vista for proving that security does not sell
$100,000,000 invested in security and what does Microsoft have to show for it? Customers are revolting against Windows Vista and nobody who has a choice is choosing to upgrade. It doesn't matter that Vista really is the most secure Microsoft operating system ever made, all customers care about is the annoyance of the UAC prompts, the confusing user interface and the insane hardware requirements.
The good thing about the Vista debacle is that no other vendor will care to do such a security push, which means that we'll be able to easily own any piece of software for the foreseeable future.
Lifetime Achievement Award
Most hackers have the personality of a supermodel who does discrete mathematics for fun. Like mathematicians, hackers get off on solving very obscure and difficult to even explain problems. Like models, hackers wear a lot of black, think they are more famous than they are, and their career effectively ends at age 30. Either way, upon entering one's third decade, it is time to put down the disassembler and consider a relaxing job in management.
This award is to honor the previous achievements of those who have moved on to bigger and better things such as management or owning (in the traditional sense) a coffee shop.
-
Oded Horovitz
Like Cher, Oded only needs to go by his first name. He is that much of a bad ass.
-
Tim Newsham
Hello? He is The Newsh 'Nuff said.
-
Dan Geer
His name is Dan Geer. You may know him from other notable projects such as:
- X Windows
- Kerberos
- @stake
In 2003 Dan was famously fired from @stake for co-authoring a paper about the risks of software monoculture and Microsoft's dominance.
-
John McDonald
You may know John McDonald (horizon) from his Solaris/SPARC non-exec stack exploitation technique and for co-authoring The Art of Software Security Assessment (which is so much better than The Art of Software Security Testing). What you don't know is that he also makes the best cafe latte in the United Kingdom.