2017 Pwnie Awards: Who Won, Lost, and Pwned
Security pros corralled the best and worst of cybersecurity into an award show highlighting exploits, bugs, achievements, and attacks from the past year.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt19745c156c71827f/64f0d88dfcc9b93917a95f77/pwnie-intro.png?width=700&auto=webp&quality=80&disable=upscale)
Each year, security experts gather to celebrate the achievements and failures of security researchers and the broader infosec community during the Pwnie awards. This year's ceremony once again took place during the Black Hat USA conference in Las Vegas.
The show's committee accepted nominations for bugs disclosed over the past year, from June 2, 2016 through May 31, 2017. Nominees are judged by a panel of respected security researchers, which according to its website is "the closest to a jury of peers a likely to ever get."
Winners were announced the week of Black Hat during an informal (and hilarious) ceremony hosted by judges and infosec pros Travis Goodspeed, Charlie Miller, Brandon Edwards, Katie Moussouris, and Dino Dai Zovi.
Winners in attendance were honored with "Pwnie" statues; some recipients, like Australian Prime Minister Malcolm Turnbull and the Shadow Brokers, were obviously absent.
The 2017 show included award categories ranging from Best Cryptographic Attack to Best Server-Side Bug to Lamest Vendor Response. Who were this year's winners? Take a look to find out.
The award for most technically sophisticated and interesting server-side bug went to these vulnerabilities, which enable remote command execution on machines running the SMB protocol. These bugs were released when the Shadow Brokers dumped exploits (allegedly) belonging to the NSA, making various system versions and functions vulnerable.
They have since been used in multiple ransomware attacks, driving Microsoft to release fixes for now-unsupported systems like Windows XP.
Hanson, Li, Sun, and "unknown hackers" were acknowledged for discovering and exploiting server-side bug Microsoft Office OLE2Link URL Moniker/Script Moniker (CVE-2017-0199).
Researchers found two distinct flaws in how Office handles linked OLE objects, both of which are included in CVE-2017-0199. The first related to the URL Moniker, which can be used to load arbitrary payloads through OLE (and RTF) documents. The other related to the Script Moniker, which can be abused in PPT documents using custom actions.
The timing of the flaws was interesting: at least three different people discovered them around the same time. All were effective in bypassing memory-based attack mitigations in Windows 10 and Office 2016 and since their publication, have become widely used by other pentesters and blackhats.
Microsoft has issued a patch but Li and Sun have stated it may not provide full protection and exploits could be possible via third-party controls.
Drammer: Deterministic Rowhammer Attacks on Mobile Platforms was awarded the most sophisticated privilege escalation vulnerability, with credit going to Victor van der Veen, Yanick Fratantonio, Martina Lindorfer, Daniel Russ, Clementine Maurice, Giovanni Vigna, Herbert Bos, Kaveh Razavi, and Cristiano Giuffrida.
Millions of Android devices were considered vulnerable after Drammer exploited the rowhammer hardware vulnerability. Attackers could take over a victim's device by hiding the bug in a malicious app that required no permissions. Drammer was the first Android root exploit that didn't rely on a software vulnerability.
The Pwnie for most impactful cryptographic attack went to the team responsible for creating the first known collision for the full SHA-1 internet security standard. Researchers created two PDF documents that were different but produced the same SHA-1 hash. Their techniques led to a 100k speed increase over the brute force attack that relies on the birthday paradox, making it practical for well-funded attackers.
While presenters credited "Nimrod Aviram et al" on the winning slide, Aviram said in a tweet he was not involved in the project - though he does call SHAttered a "very cool and deserved winner."
According to the Pwnie nomination page, credit should go to Marc Stevens, Elie Bursztein, Pierre Karpman, Ange Albertini, and Yarik Markov.
A backdoor in M.E.Doc accounting software allegedly fueled NotPetya, the malware outbreak that hit global PCs in June. The software is primarily used in Ukraine, where accountants who installed a software update unknowingly exposed their machines to the attack.
The backdoor used M.E.Doc servers for command and control, and delivered the backdoor to Ukrainian companies using the software. While most victims of the attack were Ukrainian, NotPetya also hit businesses around the world working with Ukrainian companies.
There hasn't been official attribution for M.E.Doc, but the Pwnies gave credit to "Totally Not Russia."
Atlassian took the Best Branding Pwnie for the GhostButt vulnerability (CVE-2017-8291). The exploit "has it all," its nomination reads: "a website, clever logo, made even cleverer by having the logo be the exploit and, of course, the use of the -butt suffix. It doesn't have an online store, but(t) it does have a song."
The Pwnie for "something so truly epic that we couldn't possibly have predicted it" went to Federico Bento for influencing the fix of exploits possible due to an ioctl named TIOCSTI. Security researchers have been documenting exploits made possible due to TIOCSTI for years.
TIOCSTI makes it easy for unprivileged users to inject characters into the terminal's input buffer, which enables unprivileged-to-privileged escapes. Bento reported a series of vulnerabilities based on TIOCSTI. As a result, OpenBSD, SELinux, Android, and grsecurity have begun to block, restrict, or remove its use.
Pwnie recipients Ben Gras, Kaveh Razavi, Erik Bosman, Herbert Bos, and Cristiano Giuffrida were acknowledged for their research on ASLR, which exploit writers have been working to defeat for years.
Usually, tricking ASLR involves finding a soon-to-be-patched memory disclosure bug, a difficult process that needs to be repeated over for various versions, browsers, plugins, etc. This team created a universal ASLR bypass based on the timing of the caching of memory access.
The bypass "works using Javascript in most browsers by default and isn't really something you can fix very easy," its nomination reads.
The Pwnie for "most spectacularly" mishandling a security vulnerability went to Lennart Poettering for SystemD bugs 5998, 6225, 6214, 5144, and 6237.
Its nomination reads: "Where you are dereferencing null pointers, or writing out of bounds, or not supporting fully qualified domain names, or giving root privileges to any user whose name begins with a number, there's no chance that the CVE number will referenced in either the change log or the commit message. But CVEs aren't really our currency anymore, and only the lamest of vendors gets a Pwnie!"
Cryptsetup bug CVE-2016-4484 won the Pwnie for most over-hyped. The flaw was in the way cryptsetup unlocks LUKS encrypted partitions, letting hackers with physical access an initrd shell. This would let them load an alternate OS or delete data, and may be a problem for devices like ATMs or kiosks.
However, it wasn't a big deal for most machines because it required physical access and didn't get attackers real shell. It was still covered in Threatpost and Slashdot, where commenters figured out this wasn't a major problem.
Australian Prime Minister Malcolm Turnbull stole the show's most epic fail for the time he challenged the laws of mathematics during a legislative effort to force vendors to give away the plaintext of encrypted messages. With the properly implemented crypto, vendors could not simply decrypt the data - an idea Turnbull opposed.
When confronted with this, he replied: "Well the laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia."
The Pwnie's lifetime achievement award goes to Felix "FX" Lindner, a vulnerability researcher, reverse engineer, security architect, and CISSP who has been presenting at Black Hat and various security conferences since 2001. Aside from security, he's also a computer scientist skilled in telecommunications and software development.
The Pwnie's lifetime achievement award goes to Felix "FX" Lindner, a vulnerability researcher, reverse engineer, security architect, and CISSP who has been presenting at Black Hat and various security conferences since 2001. Aside from security, he's also a computer scientist skilled in telecommunications and software development.
Each year, security experts gather to celebrate the achievements and failures of security researchers and the broader infosec community during the Pwnie awards. This year's ceremony once again took place during the Black Hat USA conference in Las Vegas.
The show's committee accepted nominations for bugs disclosed over the past year, from June 2, 2016 through May 31, 2017. Nominees are judged by a panel of respected security researchers, which according to its website is "the closest to a jury of peers a likely to ever get."
Winners were announced the week of Black Hat during an informal (and hilarious) ceremony hosted by judges and infosec pros Travis Goodspeed, Charlie Miller, Brandon Edwards, Katie Moussouris, and Dino Dai Zovi.
Winners in attendance were honored with "Pwnie" statues; some recipients, like Australian Prime Minister Malcolm Turnbull and the Shadow Brokers, were obviously absent.
The 2017 show included award categories ranging from Best Cryptographic Attack to Best Server-Side Bug to Lamest Vendor Response. Who were this year's winners? Take a look to find out.
Read more about:
Black Hat NewsAbout the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024