Pwnie Awards

Last updated
Pwnie Awards
StatusActive
GenreAwards Ceremony
FrequencyAnnual
Venue Summercon, Black Hat
Years active17
Inaugurated2007 (2007)
Founder Alexander Sotirov, Dino Dai Zovi
Website pwnies.com

The Pwnie Awards recognize both excellence and incompetence in the field of information security [ citation needed ]. Winners are selected by a committee of security industry professionals from nominations collected from the information security community. [1] Nominees are announced yearly at Summercon, and the awards themselves are presented at the Black Hat Security Conference. [2]

Contents

Origins

The name Pwnie Award is based on the word "pwn", which is hacker slang meaning to "compromise" or "control" based on the previous usage of the word "own" (and it is pronounced similarly). The name "The Pwnie Awards," pronounced as "Pony," [2] is meant to sound like the Tony Awards, an awards ceremony for Broadway theater in New York City.

History

The Pwnie Awards were founded in 2007 by Alexander Sotirov and Dino Dai Zovi [1] following discussions regarding Dino's discovery of a cross-platform QuickTime vulnerability (CVE - 2007-2175) and Alexander's discovery of an ANI file processing vulnerability (CVE - 2007-0038) in Internet Explorer.

Winners

2022

2021

2020

2019

2018

2017

2016

2015

Winner list from. [28]

2014

2013

2012

The award for best server-side bug went to Sergey Golubchik for his MySQL authentication bypass flaw. [34] [35] Two awards for best client-side bug were given to Sergey Glazunov and Pinkie Pie for their Google Chrome flaws presented as part of Google's Pwnium contest. [34] [36]

The award for best privilege escalation bug went to Mateusz Jurczyk ("j00ru") for a vulnerability in the Windows kernel that affected all 32-bit versions of Windows. [34] [35] The award for most innovative research went to Travis Goodspeed for a way to send network packets that would inject additional packets. [34] [35]

The award for best song went to "Control" by nerdcore rapper Dual Core. [34] A new category of award, the "Tweetie Pwnie Award" for having more Twitter followers than the judges, went to MuscleNerd of the iPhone Dev Team as a representative of the iOS jailbreaking community. [34]

The "most epic fail" award was presented by Metasploit creator HD Moore to F5 Networks for their static root SSH key issue, and the award was accepted by an employee of F5, unusual because the winner of this category usually does not accept the award at the ceremony. [34] [36] Other nominees included LinkedIn (for its data breach exposing password hashes) and the antivirus industry (for failing to detect threats such as Stuxnet, Duqu, and Flame). [35]

The award for "epic 0wnage" went to Flame for its MD5 collision attack, [36] recognizing it as a sophisticated and serious piece of malware that weakened trust in the Windows Update system. [35]

2011

2010

2009

2008

2007

Related Research Articles

An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic. Such behavior frequently includes gaining control of a computer system, allowing privilege escalation, or a denial-of-service attack. In lay terms, some exploit is akin to a 'hack'.

<span class="mw-page-title-main">Privilege escalation</span> Gaining control of computer privileges beyond what is normally granted

Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

In computer security, arbitrary code execution (ACE) is an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in software or hardware allowing arbitrary code execution. A program that is designed to exploit such a vulnerability is called an arbitrary code execution exploit. The ability to trigger arbitrary code execution over a network is often referred to as remote code execution.

Przemysław Frasunek is a "white hat" hacker from Poland. He has been a frequent Bugtraq poster since late in the 1990s, noted for one of the first published successful software exploits for the format string bug class of attacks, just after the first exploit of the person using nickname tf8. Until that time the vulnerability was thought harmless. He serves as the CEO of Redge Technologies.

<span class="mw-page-title-main">Lennart Poettering</span> German software engineer

Lennart Poettering is a German software engineer working for Microsoft and the original author of PulseAudio, Avahi and systemd.

<span class="mw-page-title-main">ImmuniWeb</span>

ImmuniWeb is a global application security company headquartered in Geneva, Switzerland. ImmuniWeb develops Machine Learning and AI technologies for SaaS-based application security solutions provided via its proprietary ImmuniWeb AI Platform.

<span class="mw-page-title-main">Intel Management Engine</span> Autonomous computer subsystem

The Intel Management Engine (ME), also known as the Intel Manageability Engine, is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008. It is located in the Platform Controller Hub of modern Intel motherboards.

Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities. It was announced on 15 July 2014.

Row hammer is a computer security exploit that takes advantage of an unintended and undesirable side effect in dynamic random-access memory (DRAM) in which memory cells interact electrically between themselves by leaking their charges, possibly changing the contents of nearby memory rows that were not addressed in the original memory access. This circumvention of the isolation between DRAM memory cells results from the high cell density in modern DRAM, and can be triggered by specially crafted memory access patterns that rapidly activate the same memory rows numerous times.

JASBUG is a security bug disclosed in February 2015 and affecting core components of the Microsoft Windows Operating System. The vulnerability dated back to 2000 and affected all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

Intel Software Guard Extensions (SGX) is a set of instruction codes implementing trusted execution environment that are built into some Intel central processing units (CPUs). They allow user-level and operating system code to define protected private regions of memory, called enclaves. SGX is designed to be useful for implementing secure remote computation, secure web browsing, and digital rights management (DRM). Other applications include concealment of proprietary algorithms and of encryption keys.

<span class="mw-page-title-main">Stagefright (bug)</span> Software bug in Android

Stagefright is the name given to a group of software bugs that affect versions from 2.2 "Froyo" up until 5.1.1 "Lollipop" of the Android operating system exposing an estimated 950 million devices at the time. The name is taken from the affected library, which among other things, is used to unpack MMS messages. Exploitation of the bug allows an attacker to perform arbitrary operations on the victim's device through remote code execution and privilege escalation. Security researchers demonstrate the bugs with a proof of concept that sends specially crafted MMS messages to the victim device and in most cases requires no end-user actions upon message reception to succeed—the user doesn't have to do anything to 'accept' exploits using the bug; it happens in the background. A phone number is the only information needed to carry out the attack.

<span class="mw-page-title-main">Dirty COW</span> Computer security vulnerability

Dirty COW is a computer security vulnerability of the Linux kernel that affected all Linux-based operating systems, including Android devices, that used older versions of the Linux kernel created before 2018. It is a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel's memory-management subsystem. Computers and devices that still use the older kernels remain vulnerable.

<span class="mw-page-title-main">Meltdown (security vulnerability)</span> Microprocessor security vulnerability

Meltdown is one of the two original transient execution CPU vulnerabilities. Meltdown affects Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors. It allows a rogue process to read all memory, even when it is not authorized to do so.

<span class="mw-page-title-main">Spectre (security vulnerability)</span> Processor security vulnerability

Spectre is one of the two original transient execution CPU vulnerabilities, which involve microarchitectural timing side-channel attacks. These affect modern microprocessors that perform branch prediction and other forms of speculation. On most processors, the speculative execution resulting from a branch misprediction may leave observable side effects that may reveal private data to attackers. For example, if the pattern of memory accesses performed by such speculative execution depends on private data, the resulting state of the data cache constitutes a side channel through which an attacker may be able to extract information about the private data using a timing attack.

Lazy FPU state leak, also referred to as Lazy FP State Restore or LazyFP, is a security vulnerability affecting Intel Core CPUs. The vulnerability is caused by a combination of flaws in the speculative execution technology present within the affected CPUs and how certain operating systems handle context switching on the floating point unit (FPU). By exploiting this vulnerability, a local process can leak the content of the FPU registers that belong to another process. This vulnerability is related to the Spectre and Meltdown vulnerabilities that were publicly disclosed in January 2018.

<span class="mw-page-title-main">Microarchitectural Data Sampling</span> CPU vulnerabilities

The Microarchitectural Data Sampling (MDS) vulnerabilities are a set of weaknesses in Intel x86 microprocessors that use hyper-threading, and leak data across protection boundaries that are architecturally supposed to be secure. The attacks exploiting the vulnerabilities have been labeled Fallout, RIDL, ZombieLoad., and ZombieLoad 2.

<span class="mw-page-title-main">BlueKeep</span> Windows security hole

BlueKeep is a security vulnerability that was discovered in Microsoft's Remote Desktop Protocol (RDP) implementation, which allows for the possibility of remote code execution.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

Log4Shell (CVE-2021-44228) is a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online. Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.

References

  1. 1 2 3 4 Buley, Taylor (July 30, 2009). "Twitter Gets 'Pwned' Again". Forbes. Archived from the original on February 16, 2013. Retrieved January 3, 2013.
  2. 1 2 3 4 5 6 7 Sutter, John D. (August 4, 2011). "Sony gets 'epic fail' award from hackers". CNN. Retrieved January 3, 2013.
  3. @PwnieAwards (August 10, 2022). "Our final nomination for Lamest Vendor Response goes to:Google TAG for "unilaterally shutting down a counterterrorism operation"" (Tweet) via Twitter.
  4. Goodin, Dan (2021-04-21). "In epic hack, Signal developer turns the tables on forensics firm Cellebrite". Archived from the original on 2023-05-23.
  5. Cox, Joseph; Franceschi-Bicchierai, Lorenzo (2021-04-27). "Cellebrite Pushes Update After Signal Owner Hacks Device". Archived from the original on 2023-05-11.
  6. Brazeal, Forrest. "The Ransomware Song". YouTube. Archived from the original on 2021-12-21. Retrieved 9 August 2021.
  7. Tsai, Orange. "ProxyLogon is Just the Tip of the Iceberg: A New Attack Surface on Microsoft Exchange Server!". www.blackhat.com. Retrieved 9 August 2021.
  8. "U/OO/104201-20 PP-19-0031 01/14/2020 National Security Agency | Cybersecurity Advisory 1 Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers" (PDF). Defense.gov. Retrieved 9 August 2021.
  9. Göktaş, Enes; Razavi, Kaveh; Portokalidis, Georgios; Bos, Herbert; Giuffrida, Cristiano. "Speculative Probing: Hacking Blind in the Spectre Era" (PDF).
  10. Kolsek, Mitja. "Free Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)". 0Patch Blog. Retrieved 9 August 2021.
  11. Alendal, Gunnar. "Chip Chop - Smashing the Mobile Phone Secure Chip for Fun and Digital Forensics". www.blackhat.com. Black Hat.
  12. "21Nails: Multiple vulnerabilities in Exim". qualys.com. Qualys. Retrieved 9 August 2021.
  13. "E-Soft MX survey". securityspace.com. E-Soft Inc. 1 March 2021. Retrieved 21 March 2021.
  14. Tsai, Orange. "Infiltrating Corporate Intranet Like NSA - Pre-auth RCE on Leading SSL VPNs!". www.blackhat.com. Retrieved 7 August 2019.
  15. "Vectorized Emulation: Hardware accelerated taint tracking at 2 trillion instructions per second", Vectorized Emulation
  16. "Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd"
  17. 1 2 "Spectre Attacks: Exploiting Speculative Execution", Spectre
  18. 1 2 "Meltdown", Meltdown
  19. "Return Of Bleichenbacher’s Oracle Threat (ROBOT)"
  20. "Important Statement from Bitfi", Bitfi Public Announcement
  21. "Pwnie for Most Innovative Research", Pwnie Awards
  22. "Pwnie for Best Privilege Escalation Bug", Pwnie Awards
  23. "The 2017 Pwnie Award For Lamest Vendor Response", Pwnie Awards
  24. Hello (From the Other Side) Manuel Weber, Michael Schwarz, Daniel Gruss, Moritz Lipp, Rebekka Aigner
  25. "Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector", Erik Bosman et al.
  26. "DROWN: Breaking TLS using SSLv2" Nimrod Aviram et al.
  27. Cyberlier Katie Moussouris
  28. https://www.darkreading.com/vulnerabilities-threats/-will-it-blend-earns-pwnie-for-best-client-bug-opm-for-most-epic-fail
  29. https://j00ru.vexillium.org/slides/2015/recon.pdf
  30. https://www.kb.cert.org/vuls/id/552286
  31. "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice", Adrian David et al.
  32. "Identifying and Exploiting Windows Kernel RaceConditions via Memory Access Patterns"
  33. at 09:31, John Leyden 5 Oct 2012. "Experts troll 'biggest security mag in the world' with DICKish submission". www.theregister.co.uk. Retrieved 2019-10-03.{{cite web}}: CS1 maint: numeric names: authors list (link)
  34. 1 2 3 4 5 6 7 Yin, Sara (July 26, 2012). "And Your 2012 Pwnie Award Winners Are..." SecurityWatch. PCMag. Retrieved January 8, 2013.
  35. 1 2 3 4 5 Constantin, Lucian (July 26, 2012). "Flame's Windows Update Hack Wins Pwnie Award for Epic Ownage at Black Hat". IDG-News-Service. PCWorld. Retrieved January 8, 2013.
  36. 1 2 3 Sean Michael Kerner (July 25, 2012). "Black Hat: Pwnie Awards Go to Flame for Epic pwnage and F5 for epic fail". InternetNews.com. Retrieved January 8, 2013.
  37. 1 2 3 4 5 6 7 8 Schwartz, Mathew J. (August 4, 2011). "Pwnie Award Highlights: Sony Epic Fail And More". InformationWeek. Retrieved January 3, 2013.
  38. "Kernel Attacks through User-Mode Callbacks"
  39. "Securing the Kernel via Static Binary Rewriting and Program Shepherding"
  40. "Interpreter Exploitation Pointer Inference and JIT Spraying"
  41. 1 2 3 Brown, Bob (July 31, 2009). "Twitter, Linux, Red Hat, Microsoft "honored" with Pwnie Awards". NetworkWorld. Archived from the original on August 5, 2009. Retrieved January 3, 2013.
  42. 1 2 3 Naone, Erica (August 7, 2008). "Black Hat's Pwnie Awards". MIT Technology Review. Retrieved January 3, 2013.
  43. 1 2 3 4 5 6 Naraine, Ryan (August 2, 2007). "OpenBSD team mocked at first ever 'Pwnie' awards". ZDNet. Retrieved January 3, 2013.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.