July 22, 2018

Black Hat: The Pwnies 2011 Security Award Winners

(LiveHacking.Com) – The winners of this year’s Pwnie Awards have been given out during the BlackHat USA security conference in Las Vegas. The annual awards ceremony celebrates the achievements and failures of security researchers and the security community.

The award for the Best Server-Side Bug went to Juliano Rizzo, Thai Duong – Juliano and Thai showed that the ASP.NET framework is vulnerable to a padding oracle attack that can be used to remotely compromise almost any ASP.NET web application, often leading to remote code execution on the server.

The Pwnie for Best Client-Side Bug was awarded to Comex – Comex exploited a vulnerability in the interpreter for Type 1 font programs in the FreeType library used by MobileSafari. This exploit is a great example of programming a weird machine to exploit a modern system. Comex used his control over the interpreter to construct a highly sophisticated ROP payload at runtime and bypass the ASLR protection in iOS. Furthermore, the ROP payload exploited a kernel vulnerability to execute code in the kernel and disable code-signing. The exploit was hosted on jailbreakme.com and was successfully used by thousands of people to jailbreak their iOS devices.

The Best Privilege Escalation Bug went to Tarjei Mandt – In the span of a few months, Tarjei found more than 40 vulnerabilities in the Windows kernel. In his presentation at Infiltrate 2011, he described the details of these vulnerabilities and his kernel exploitation techniques.

The Most Innovative Research Pwnie went to Piotr Bania – To implement some of the ideas from pax-future.txt is one thing, to implement them through static analysis on Windows, rewriting drivers automagically, and have it all work preserving binary compatibility across a wide range of Windows versions: that’s deserving of respect.

And finally the Lamest Vendor Response was awarded to RSA –  They got hacked, their SecurID tokens were totally compromised, and they basically passed it off as a non-event and advised customers that replacing the tokens is not necessary … until Lockheed-Martin got attacked because of them.