The winners of the 2017 Pwnie Awards were announced last night at the Black Hat USA security conference. The annual ceremony awards the very best and worst coming out of the security community. People previously nominated their opinions of the biggest achievements and failures over the last year; the award winners are chosen from the top nominees in each category by a panel of security researchers.
This year, the Pwnie Awards went to:
Pwnie for Best Server-Side Bug
This Pwnie is awarded to researchers who discovered, or exploited, the most technically sophisticated and interesting server-side bug. There were six nominations listed in this category, but the Pwnie award went to the NSA’s Equation Group for CVE-2017-0143, 0144, 0145.
The public became aware of these vulnerabilities thanks to the Shadow Brokers. Not long afterwards, several ransomware attacks sprung up and hammered Windows boxes. Because of that, Microsoft took the unprecedented step of releasing patches for even unsupported versions of the OS, such as Windows XP.
Pwnie for Best Client-Side Bug
Of the top five nominees for the most technically sophisticated and interesting client-side bug, the Pwnie went to Ryan Hanson, Haifei Li, Bing Sun, and unknown hackers for Microsoft Office OLE2Link URL Moniker/Script Moniker (CVE-2017-0199). Described as “an instance of parallel discovery,” two different flaws were reported for how Microsoft Office mishandled OLE objects even as an unknown party was actively exploiting one of the flaws with spearphishing attacks.
The bugs were able to bypass all memory-based attack mitigations, worked against Windows 10 and Office 2016, and both vectors became “favorites of penetration testers and random blackhats alike.”
Pwnie for Best Privilege Escalation Bug
As for the best in this category, a boatload of people were credited for Drammer: Deterministic rowhammer attacks on mobile platforms: Victor van der Veen, Yanick Fratantonio, Martina Lindorfer, Daniel Gruss, Clementine Maurice, Giovanni Vigna, Herbert Bos, Kaveh Razavi and Cristiano Giuffrida.
Attacks exploiting the rowhammer hardware bug weren’t new, but Drammer exploited rowhammer so that attackers could remotely take control of Android devices by hiding it in a malicious app that required no permissions. Millions of Android phones were deemed to be vulnerable. The nomination described this privilege escalation bug as, “Mobile computing row hammer attacks (MC Hammers, for short) are terrifying. You can't touch them and can only hope that, please, they won't hurt you.”
Pwnie for Best Cryptographic Attack
Researchers from Google and CWI, the national research institute for math and computer science in the Netherlands, were awarded the Pwnie for being the first to break the SHA-1 internet security standard. The nomination states: “The SHAttered attack team generated the first known collision for full SHA-1. The team produced two PDF documents that were different that produced the same SHA-1 hash. The techniques used to do this led to an a 100k speed increase over the brute force attack that relies on the birthday paradox, making this attack practical by a reasonably (Valasek-rich?) well-funded adversary.
The slide for this Pwnie credited “Nimrod Aviram et all.” However, Aviram said he didn’t co-author SHAttered. The best crypto attack Pwnie nomination credits the following for SHAttered: Marc Stevens, Elie Bursztein, Pierre Karpman, Ange Albertini and Yarik Markov.
Pwnie for Best Backdoor
M.E.Doc was awarded the Pwnie for best backdoor, since the accounting software company’s servers were compromised and used to deliver a backdoor into Ukrainian companies that used the software. M.E.Doc is believed to be “patient zero” for the NotPetya ransomware. The Pwnie Awards’ credit for this backdoor reads, “Totally not Russia.”
Pwnie for Best Branding
The Atlassian Security Team walked away with the Pwnie award for the best branding/overhype for the vulnerability GhostButt. The nomination states: “Ghostbutt (CVE-2017-8291) has it all, a website, a clever logo, made even cleverer by having the logo be the exploit and, of course, the use of the -butt suffix (ala threatbutt). It doesn't have an online store, but[t] it does have a song.”
Pwnie for Most Innovative Research
Pwnie for Lamest Vendor Response
The most spectacular mishandling of a security vulnerability by a vendor ended up winning a Pwnie for Lennart Poettering due to SystemD bugs 5998, 6225, 6214, 5144, 6237. The nomination reads: “Where you are dereferencing null pointers, or writing out of bounds, or not supporting fully qualified domain names, or giving root privileges to any user whose name begins with a number, there’s no chance that the CVE number will referenced in either the change log or the commit message. But CVEs aren't really our currency any more, and only the lamest of vendors gets a Pwnie!”
Pwnie for Most Epic FAIL
Top nominees for the most epic FAIL included The Intercept for exposing NSA contractor Reality Winner as a source, Cloudflare for Cloudbleed, and Kaspersky for a flaw in its safe browser. But the winner was the government of Australia, specifically Australia’s Prime Minister Malcolm Turnbull.
When asked if the laws of mathematics would trump the laws of Australia, Turnbull replied, “Well the laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.”
Lifetime Achievement Award
There is not a list of those nominated, but FX won the lifetime achievement Pwnie.
Pwnie for Epic 0wnage
There was tie for epic ownage, so the Pwnie award went to both WannaCry, credited as “North Korea(?)” and the Shadow Brokers, credited as “Russia. Straight up: Russia.”
The Pwnie Awards’ website has not yet been updated with a list of this year’s winners. Since I didn’t see any tweets, then I guess we have to wait for the site update to learn who won the Pwnie for epic achievement, most over-hyped bug and best song.