Meet the Finalists for the 2023 Pwnie Awards

CountExposure, @b2ahex; CVE-2022-22036; "Sneaky malware has found a new playmate for local privilege escalation and sandbox escape adventures!" Of its importance, d'Antoine said, "It's the first bug that's been released at least in the last decade about performance counters in Windows."

LPE and RCE in RenderDoc, CVE-2023-33865 & CVE-2023-33864; the Qualys team; "A reliable, one-shot remote exploit against the latest glibc malloc" "I think the cool thing to shout out here is Qualys has made Pwnie nominations for at least the last five years," said d'Antoine. "They do some great work."

CS:GO: From Zero to 0-day; @neodyme; used logic bugs to RCE Counter Strike. "Why hack for money when you can hack for Internet points?" d'Antoine asked rhetorically.

"yall didn't nominate anything lmao"

"no hit pieces implying we support NSO Group this year sorry Vice."

Practically exploitable cryptographic vulnerabilities in Matrix; @martinralbrecht and @claucece; vulns in Matrix standard for federated real-time communications and especially the flagship client, Element. The two hosts seemed to exaggerate their ignorance of this category. d'Antoine ventured, "We know they're widely used software for encrypted communication," while Roos said, "We've seen it mostly about Al Qaeda."

MEGA: Malleable encryption goes awry; Matilda Backendal, Miro Haller, Prof. Dr. Kenny Paterson; "five devastating attacks which allow for user data to be decrypted and modified. Additionally, attackers have the ability to inject malicious files into the platform which the clients will still authenticate."

Video-based cryptanalysis: Extracting Cryptographic Keys from Video Footage of a Device's Power LED; Ben Nassi; "new cryptanalytic side-channel attack using the RGB values of the device's LED." Roos said, "This is a really cool one. They basically recorded an LED on a phone, and then through the RGB values, were able to cryptographically break it."

Git Init; YTCracker; "YTCracker with another banger. Title sounds like you pissed off a Brit but we get it." https://m.soundcloud.com/ytcracker/ytcracker-git-init

Clickin'; Ohm-I; "An educational and catchy beat describing a phishing attack!" https://mcohmi.bandcamp.com/track/clickin

PegaSUS; Laughing Mantis [aka Greg Linares]; "Created this beat from Pegasus spyware samples" (https://twitter.com/Laughing_Mantis) To access without a Twitter account, visit that fediverse link.

Inside Apple's Lightning: Jtagging the iPhone for Fuzzing and Profit; @ghidraninja; Thomas [Roth] developed an iPhone JTAG cable called the Tamarin Cable and a Lightning Fuzzer. https://www.youtube.com/watch?v=8p3Oi4DL0el&t=1s That video is no longer available, according to YouTube, but you can still view Roth's DEF CON 30 presentation.

Single Instruction Multiple Data Leaks in Cutting-edge CPUs, AKA Downfall; "Some google people"; "EMBARGO'd LOL" — Tuesday, Aug. 8, 2023 — will be presented at Black Hat 8/9 and Usenix 8/11. Roos noted that the embargo lifts on Tuesday and the awards are the next day, which limits the practicality of voting for it.

Rowhammer Fingerprinting; Hari Venugopalan, Kaustav Goswami, Zainul Abi Din, Jason Lowe-Power, Samuel T. King, Zubair Shafiq; Centauri — Rowhammer Fingerprinting https://arxiv.org/abs/2307.00143

LPE and RCE in RenderDoc, CVE-2023-33865 & 33864; the Qualys team; "A reliable, one-shot remote exploit against the latest glibc malloc, in 2023! Plus a fun local privilege escalation involving XDG and systemd." This is a repeat from the Best Desktop Bug category. D'Antoine said, "The days of one-shot RCEs are few and far between now, and this is one of the few that we've seen, at least this year."

Activation Context Cache Poisoning; Simon Zuckerbraun at Trend Micro; "This nomination highlights a new class of privilege escalation vulnerabilities, known as activation context cache poisoning. This technique was being actively used by an Austrian hack-for-hire group tracked by Microsoft as KNOTWEED"

Perils and Mitigation of Security Risks of Cooperation in Mobile-as-a-Gateway IoT; Xin'an Zhou, Jiale Guan, Luyi Xing, Zhiyun Qian; "These researchers uncovered vulnerabilities that affected almost all Mobile-as-a-Gateway (MaaG) IoT devices, and created secure cryptographic protocols to help protect their users."

URB Excalibur: Slicing Through the Gordian Knot of VMware VM Escapes; @danis_jiang, @0x140ce; "This team successfully performed VM escapes across all VMware virtual machine products: Workstation, Fusion, and ESXi (within the sandbox), making it the only VMware VM escape at pwn2own last year." Roos said, "I love this because VMware escapes are really difficult, and these guys managed to find one. ... It's very hard work to do, they pulled it off – props."

Bypassing Cluster Operation in Databricks Platform; Florian Roth and Marius Bartholdy at Sec-Consult "(Shout out for nominating yourselves 12 times guys)"; "A low-privileged user was able to break the isolation between Databricks compute clusters within the boundary of the same workspace and organization by gaining remote code execution. This subsequently would have allowed an attacker to access all files and secrets in the workspace as well as escalating their privilege to those of a workspace administrator." D'Antoine advised dryly, "You're supposed to get other people to at least pretend to nominate you."

UNCONTAINED: Uncovering Container Confusion in the Linux Kernel; Jakob Koschel, Pietro Borrello, Daniele Cono D'Elia, Herbert Bos, Cristiano Giuffrida; "UNCONTAINED discovers and analyzes container confusion: a novel class of subtle type confusion bugs. Caused by the pervasive (and barely studied) introduction of object-oriented features in large C programs, for instance using the common CONTAINER_OF macro in the Linux kernel, they provide a new and fertile hunting ground for attackers and additional grief for defenders." Roos and d'Antoine remembered that members of this group won twice last year, for Best Desktop Bug and Most Innovative Research.

Unveiling Vulnerabilities in Windows Network Load Balancing: Exploring the Weaknesses; @b2ahex; CVE-2023-28240, "This vulnerability allows remote code execution without requiring any authentication."

ClamAV RCE (CVE-2023-20032); @scannell_simon; "ASLR bypass technique enabling 0 click server side exploits"

Checkmk RCE chain; @scryh_; "It all starts with a limited SSRF and ends in a full-blown RCE after chaining 5 vulnerabilities. Rather uncommon in the web world!"

Authentication Bypass in Mura CMS; Mura Software; "Mura Software claims credit for the bug disclosed to them (not by them) and charges customers $5000 to fix it." https://hoyahaxa.blogspot.com/2023/03/authentication-bypass-mura-masa.html. The crowd booed when Roos read the blurb out loud.

Pinduoduo or "TEMU stands for Team Up, Exploit Down"; PinDuoDuo; "Pinduoduo got knocked off the Android store for installing literal backdoors into their own app to spy on their users. After being exposed by multiple media and security companies, Pinduoduo denied all the accusations and blamed Google for taking it off the Play Store, yet quickly and silently deleted all the malicious code and disbanded the team working on it." Even CNN picked up the story.

Three Lessons from Threema: Analysis of a Secure Messenger; Threema; "Threema posted a rather cranky blog post dunking on some vulns reported by a student's masters thesis at ETH Zurich." Roos called Threema's response "punching down."

"holy ... bingle we have the nofly list"; The Transportation Security Administration; "The notorious queer anarchist hacker Maia Crimew discovered the entire TSA no fly list lying around on the internet and had the good graces to let everyone know about it." Roos asked, "Did anyone else, like, search for themselves? Did anyone find themselves? No? All right."

"I Was Sentenced to 18 Months in Prison for Hacking Back"; Jonathan Manzi; "This guy retaliated against an employee quitting by hacking and defaming him and his new employer. The wild ride concludes with the author having a come to God moment with a homeless person and some cringe metaphors about quantum mechanics. He seems relatively unrepentant and should probably be sent back." Of Manzi's blog post, d'Antoine allowed, "It's worth a read."

The disreputable ... Jonathan Scott; Jonathan Scott; "'The only reason he hasn't violated FARA is because he's probably too stupid to be a foreign agent in the first place.' – A Pwnie consultant." Roos said, "We were thinking of asking him to stop tweeting. Maybe we all should."

Found lots of 0 day; @_clem1; Clement [Lecigne] burned 33 in-the-wild 0-days since 2014 and has found 8 0-days already so far this year. D'Antoine pondered, "If you find it in the wild, I don't know if that counts as your bug or not. Finders keepers, maybe? I don't know."

Branch History Injection (BHI / Spectre-BHB); Someone at VUsec?; "The BHI / Spectre-BHB research by VUsec showed one can microarchitecturally tamper with the Branch History Buffer (rather than the Branch Target Buffer) to still leak arbitrary kernel memory from unprivileged user using a Spectre v2-style attack."

Compromise of the whole PHP supply chain, twice; @swapgs; "Pwning Composer which serves 2 billion software packages every month. More than a hundred million of these requests could have been hijacked to distribute malicious dependencies and compromise millions of servers." https://www.sonarsource.com/blog/securing-developer-tools-a-new-supply-chain-attack-on-php/