Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11:36 AM
Connect Directly

Will it Blend? Earns Pwnie For Best Client Bug; OPM for Most Epic Fail

Pwnie Awards continue to celebrate the best bug discoveries and worst security fails.

BLACK HAT USA -- Las Vegas -- For the ninth consecutive year, the security community celebrated its best bug discoveries and worst security fails at the 2015 Pwnie Awards Wednesday evening at the Black Hat conference. Once again, amidst nerdy security-themed music and a touch of good-natured irreverence, The Pwnies were awarded by an esteemed panel of security researchers: Justine Bone, Dino dai Zovi, Brandon Edwards, Travis Goodspeed, Chris Valasek and newbie to the judging this year, Chris Miller.

Pwnie judges at the awards dinner 
Image Source: Black Hat Events
Pwnie judges at the awards dinner
Image Source: Black Hat Events

The winners are:

Best Server-Side Bug: The Heartbleed bug dominated this category last year and headlines throughout 2014. This years’ winner is SAP LZC LZH Compression Multiple Vulnerabilities.  Credited to Martin Gallo, the bug affected SAP products, which use a proprietary implementation of the Lempel-Ziv-Thomas (LZC) adaptive dictionary compression algorithm and the Lempel-Ziv-Huffman (LZH) compression algorithm. These compression algorithms are used across several SAP products and programs. Vulnerabilities were found in the decompression routines that could be triggered in different scenarios, and could lead to execution of arbitrary code and denial of service conditions. “Basically a single bug that pwns almost ALL SAP products and services.”

Best Client–Side Bug:  Will it BLEND? is credited to Mateusz j00ru Jurczyk. The "BLEND" opcode font bug was in a shared code base used both in Adobe Reader font renderer and Microsoft Windows Kernel (32-bit) font renderer. It allowed both to get code execution in Adobe Reader using a font embedded in a PDF file, and to later escape the sandbox and get SYSTEM rights by exploiting the exact same bug in the shared codebase in the Windows Kernel.

Best Privilege Escalation Bug:  After extensive discussion and champagne the judges decided they wanted to stick with the bug instead of the larger research class it might belong to for this category, Justine Bone said. With that said, this years’ winner is UEFI SMM by Corey Kallenberg and his team at Mitre Corp.  Firmware update code in the open source UEFI reference implementation was identified as containing several vulnerabilities last year. Successful exploitation resulted in the ability for a privileged ring 3 process to stage a payload in the context of the firmware and then invoke and exploit the vulnerable UEFI firmware update code.

Most Innovative Research: Imperfect Forward Secrecy (Logjam) by David Adrian and team. Or you might call this one “How Diffie-Hellman Fails in Practice.”  This paper introduces the Logjam attack, a vulnerability that allows a man-in-the-middle attacker to downgrade TLS connections to 512-bit export-grade Diffie-Hellman and recover the session keys. The paper then goes on to make a convincing case that the NSA is already doing this for 1024-bit Diffie-Hellman. If so, it would allow the agency to passively eavesdrop on about half of encrypted VPN and SSH. Hey, it beat out Threatbutt’s Advanced Enterprise Platform, a paper on threat intelligence and cyber detection.

Lamest Vendor Response: BlueCoat.The bluecoats are coming! The bluecoats are coming! ... for your talk.  BlueCoat, the web proxy hardware of choice for silently intercepting and blocking SSL traffic, tried to silently intercept and block security research. Raphaël Rigo was to present his research on the internals of BlueCoat's ProxySG operating system at SyScan this year, but BlueCoat blocked it. This sparked an outrage among well-known CISOs, who refused to spend their budget on the company while security researchers on Twitter reacted more diplomatically. A Bluecoat employee did accept the award with the best response of the night. “I was on vacation when that happened.”

Most Overhyped Bug: Shellshock credited to Stephane Chazelas. An old but recently discovered flaw in Unix-like operating systems that’s widespread, difficult to patch and not too hard to exploit

Most Epic Fail: The U.S Office of Personnel Management, victim of a major hacking campaign that targeted OPM systems. Oh, please... Man!  The result:  more than 22 million people inside and outside government likely had their personal information stolen, five times larger than what OPM initially reported. Investigators ultimately determined that 19.7 million applicants for security clearances had their Social Security numbers and other personal information stolen and 1.8 million relatives and other associates had information taken.USA #1 in awful federal data breaches.

Most Epic 0wnage: Hacking Team, China (maybe). 0wnage, measured in owws, can be delivered in mass quantities to a single organization or distributed across the wider Internet population. The Epic 0wnage award goes to the hackers responsible for delivering the most damaging, widely publicized, or hilarious 0wnage. This award can also be awarded to the researcher responsible for disclosing the vulnerability or exploit that resulted in delivering the most owws across the Internet.

Best Song:  "Clean Slate" by YTCracker.YTCracker brings the cheese with an 80s synth cyberpunk feel, telling a tale from the perspective of a hacker seeking a clean slate to escape his dark surroundings.”

Life Achievement:  Thomas Dullien, aka, Halvar Flake, a guru in the area of reverse re-engineering. He has repeatedly presented innovative research in the realm of reverse engineering and code analysis at renowned security conferences such as RSA, BlackHat Briefings, and CanSecWest.  Halvar founded Zynamics in 2004 in order to further research into the automation of reverse engineering.  The company was acquired by Google in 2011.  Winning the Life Achievement Award means Halvar is no longer eligible to win a Pnwie, but the great thing is now he can be a judge.

Black Hat USA is happening! Check it out here.

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. He has witnessed all of the major transformations in computing over the last three decades, covering the rise, death, and resurrection of the ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
7 Ways VPNs Can Turn from Ally to Threat
Curtis Franklin Jr., Senior Editor at Dark Reading,  9/21/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter.php table parameter when action=add is used.
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit.php table parameter when action=add is used.
PUBLISHED: 2019-09-22
Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter-result.php table parameter when action=add is used.
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/order.php table parameter when action=add is used.