‘Will it Blend?’ Earns Pwnie For Best Client Bug; OPM for Most Epic Fail

Pwnie Awards continue to celebrate the best bug discoveries and worst security fails.

Rutrell Yasin, Freelance Writer

August 6, 2015

5 Min Read
Pwnie judges at the awards dinnerImage Source: Black Hat Events

BLACK HAT USA -- Las Vegas -- For the ninth consecutive year, the security community celebrated its best bug discoveries and worst security fails at the 2015 Pwnie Awards Wednesday evening at the Black Hat conference. Once again, amidst nerdy security-themed music and a touch of good-natured irreverence, The Pwnies were awarded by an esteemed panel of security researchers: Justine Bone, Dino dai Zovi, Brandon Edwards, Travis Goodspeed, Chris Valasek and newbie to the judging this year, Chris Miller.

The winners are:

Best Server-Side Bug: The Heartbleed bug dominated this category last year and headlines throughout 2014. This years’ winner is SAP LZC LZH Compression Multiple Vulnerabilities.  Credited to Martin Gallo, the bug affected SAP products, which use a proprietary implementation of the Lempel-Ziv-Thomas (LZC) adaptive dictionary compression algorithm and the Lempel-Ziv-Huffman (LZH) compression algorithm. These compression algorithms are used across several SAP products and programs. Vulnerabilities were found in the decompression routines that could be triggered in different scenarios, and could lead to execution of arbitrary code and denial of service conditions. “Basically a single bug that pwns almost ALL SAP products and services.”

Best Client–Side Bug:  Will it BLEND? is credited to Mateusz j00ru Jurczyk. The "BLEND" opcode font bug was in a shared code base used both in Adobe Reader font renderer and Microsoft Windows Kernel (32-bit) font renderer. It allowed both to get code execution in Adobe Reader using a font embedded in a PDF file, and to later escape the sandbox and get SYSTEM rights by exploiting the exact same bug in the shared codebase in the Windows Kernel.

Best Privilege Escalation Bug:  After extensive discussion and champagne the judges decided they wanted to stick with the bug instead of the larger research class it might belong to for this category, Justine Bone said. With that said, this years’ winner is UEFI SMM by Corey Kallenberg and his team at Mitre Corp.  Firmware update code in the open source UEFI reference implementation was identified as containing several vulnerabilities last year. Successful exploitation resulted in the ability for a privileged ring 3 process to stage a payload in the context of the firmware and then invoke and exploit the vulnerable UEFI firmware update code.

Most Innovative Research: Imperfect Forward Secrecy (Logjam) by David Adrian and team. Or you might call this one “How Diffie-Hellman Fails in Practice.”  This paper introduces the Logjam attack, a vulnerability that allows a man-in-the-middle attacker to downgrade TLS connections to 512-bit export-grade Diffie-Hellman and recover the session keys. The paper then goes on to make a convincing case that the NSA is already doing this for 1024-bit Diffie-Hellman. If so, it would allow the agency to passively eavesdrop on about half of encrypted VPN and SSH. Hey, it beat out Threatbutt’s Advanced Enterprise Platform, a paper on threat intelligence and cyber detection.

Lamest Vendor Response: BlueCoat.The bluecoats are coming! The bluecoats are coming! ... for your talk.  BlueCoat, the web proxy hardware of choice for silently intercepting and blocking SSL traffic, tried to silently intercept and block security research. Raphaël Rigo was to present his research on the internals of BlueCoat's ProxySG operating system at SyScan this year, but BlueCoat blocked it. This sparked an outrage among well-known CISOs, who refused to spend their budget on the company while security researchers on Twitter reacted more diplomatically. A Bluecoat employee did accept the award with the best response of the night. “I was on vacation when that happened.”

Most Overhyped Bug: Shellshock credited to Stephane Chazelas. An old but recently discovered flaw in Unix-like operating systems that’s widespread, difficult to patch and not too hard to exploit

Most Epic Fail: The U.S Office of Personnel Management, victim of a major hacking campaign that targeted OPM systems. Oh, please... Man!  The result:  more than 22 million people inside and outside government likely had their personal information stolen, five times larger than what OPM initially reported. Investigators ultimately determined that 19.7 million applicants for security clearances had their Social Security numbers and other personal information stolen and 1.8 million relatives and other associates had information taken.USA #1 in awful federal data breaches.

Most Epic 0wnage: Hacking Team, China (maybe). 0wnage, measured in owws, can be delivered in mass quantities to a single organization or distributed across the wider Internet population. The Epic 0wnage award goes to the hackers responsible for delivering the most damaging, widely publicized, or hilarious 0wnage. This award can also be awarded to the researcher responsible for disclosing the vulnerability or exploit that resulted in delivering the most owws across the Internet.

Best Song:  "Clean Slate" by YTCracker.YTCracker brings the cheese with an 80s synth cyberpunk feel, telling a tale from the perspective of a hacker seeking a clean slate to escape his dark surroundings.”

Life Achievement:  Thomas Dullien, aka, Halvar Flake, a guru in the area of reverse re-engineering. He has repeatedly presented innovative research in the realm of reverse engineering and code analysis at renowned security conferences such as RSA, BlackHat Briefings, and CanSecWest.  Halvar founded Zynamics in 2004 in order to further research into the automation of reverse engineering.  The company was acquired by Google in 2011.  Winning the Life Achievement Award means Halvar is no longer eligible to win a Pnwie, but the great thing is now he can be a judge.

Black Hat USA is happening! Check it out here.

Read more about:

Black Hat News

About the Author(s)

Rutrell Yasin

Freelance Writer

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. He has witnessed all of the major transformations in computing over the last three decades, covering the rise, death, and resurrection of the mainframe; the growing popularity of midrange and Unix-based computers; the advent of the personal computer; client/server computing; the merger of network and systems management; and the growing importance of information security. His stories have appeared in leading trade publications, including MIS Week, The Report on IBM, CommunicationsWeek, InternetWeek, Federal Computer Week, and Government Computer News. His focus in recent years has been on documenting the rise and adoption of cloud computing and big-data analytics. He has a keen interest in writing stories that show how technology can help spur innovation, make city streets and buildings safer, or even save lives.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights