August 2, 2007

Black Hat's Oscars: The Pwnie Awards

Author: Joe Barr

In a hastily arranged ceremony, a small group of security researchers gathered last night at Black Hat to acknowledge the work of hackers, vendors, and music-makers in the First Annual Pwnie Awards.

The brainchild of Alex Sotirov and Dino Dai Zovi, the awards were a very late addition to the Black Hat schedule. Therefore the crowd was small, but appreciative. Jeff Moss, Black Hat's founder, kicked things off by offering chocolate ponies to the event's organizers in recognition of their hard work. Sotirov served as master of ceremonies, calling up an individual judge to announce the nominees and the winners in several categories: Best Server-Side Bug, Best Client-Side Bug, Mass Ownage, Most Innovative Research, Lamest Vendor Response, Most Overhyped Bug, and Best Song.

Despite having been notified by email at midnight the day before, none of the winners were physically present to accept the gold-colored pony statue that represented the researchers' clone of the Oscars. However, the night's only multiple-award winner did manage to call in and say thanks.

Dave Aitel announced Kingcope as the first winner of the Best Server-Side Bug Pwnie (pronounced pony), for an incredibly complex exploit based on a vulnerability on Solaris boxes involving telnet and the -f option (CVE-2007-0882), first reported on Bugtraq in 1994. Dave did find it necessary to harsh Kingcope's name, however, and suggested he find a better one before next year. Other nominees found bugs in Sendmail, and Microsoft DNS.

The award for Best Client-Side Bug -- presented by Dai Zovi, who appears to have started growing facial hair since last year's Black Hat -- went to skape and skywing for an unhandled exception filter chaining vulnerability (CVE-2006-3648) in Internet Explorer. According to the awards committee, bugs like this happen only once a decade. Other nominees were Alex Sotirov and anonymous for ANI buffer overflow (CVE-2007-0038) in the Windows ANI parser, which resulted in one of the first remote exploits for Vista; Dino Dai Zovi for a QuickTime Java extensions vulnerability (CVE-2007-2175), exploitable on both Windows and OS X; and Daniel Bleichenbacher for the RSA signature forgery for a public exponent of 3 (CVE-2006-4339), exploitable in common SSL implementations like OpenSSL and Firefox. Dai Zovi could not recall the details of any of the bugs, but H. D. Moore and others sharing the stage stepped up to explain them.

Sotirov took the podium back to announce the winner of the coveted Pwnie for Mass Ownage -- aka the "Pwnie for Breaking the Internet." There were only three nominees in this category, luckily for all of us. First, pdp, int3l, and |)ruid were nominated for combining the QuickTime scripting bug found by pdp, with a cross-site scripting bug found by int3l and |)ruid, which was used in the MySpace worm that allegedly resulting in 20 million pwned systems. The second nominee was Sotirov himself, for the ANI buffer overflow noted above, along with the anonymous researcher who released it in the wild three months after it was discovered. This exploit affected both Internet Explorer and Firefox, prompting Dai Zovi to take the mic and announce "I would like to point out that it didn' affect my Mac." The final nominee was anonymous, for the WMF vulnerability -- which actually comes from the previous year, but was included among the nominees because of its importance and because this is the first year for the awards. This was the vulnerability that kick-started the third-party patch industry for Windows. Sotirov described this bug as also being a feature, since it has been present since Windows 3.1 and was even implemented in Wine. The award went to anonymous for WMF.

Dai Zovi presented the Pwnie for Most Innovative Research. The nominees were skape for his work with Temporal Return Addresses; Halvar Flake -- Dai Zovi noted that Flake had the best excuse of anyone for not being present at the ceremony -- for his exploitation of unitialized variables; Alex Sotirov for JavaScript heap manipulation; Barnaby Jack for his attacks on embedded devices; and finally, Tyler Durden for automated vulnerability auditing in machine code. scape became the first ever multi-award winner with this Pwnie.

H. D. Moore -- aka hdm, and the founder of the Metasploit Project -- took the podium next to announce the winners for Lamest Vendor Response and Best Song. Nominees in the first category were BMC for their response to a vulnerability reported to them by TippingPoint; OpenBSD for refusing to acknowledge a vulnerability found and demonstrated in a proof of concept by Core Security; Norman Antivirus for not crediting Sergio Alvarez for discovery of a vulnerability; and Guidance Software, who denied vulnerabilities presented at this year's Black Hat. The Pwnie went to OpenBSD.

The Pwnie for Best Song went to "Revolution" by Symantec. The other nominees were "Set IT Managers Free" by Intel; "Trade Secrets" by SpamTec; and "Lets Talk About Sec" by anonymous.

I almost forgot the last category, for Most Overhyped Bug. The nominees were Joana Rutkowska for BluePill, an "undetectable" virtualization rootkit for which detection techniques are being presented at the show, David Maynor for the MacBook Wi-Fi vulnerabilities that created such a storm of denial and press wars last year; and the Safari vulnerability discovered in iPhone by Charlie Miller, Jake Honoroff, and Joshua Mason. The winner was David Maynor.


  • Security
Click Here!