Meet the Finalists for the 2023 Pwnie Awards
With Black Hat USA 2023 looming, it’s time to start thinking about the Oscars of cybersecurity, the Pwnie Awards. The statuettes will be handed out live in Las Vegas on Wednesday, Aug. 9, at 6:30 pm – with the exception of this year’s Lifetime Achievement Pwnie, which was awarded at the Summercon hackers’ meetup in Brooklyn, New York on July 14, when the other nominees were announced.
Margin Research’s Sophia d’Antoine and Ian Roos presented the nominees. Roos said of the over 80 nominations and 30 finalists, “All those have research papers attached to them, so if you feel like we didn’t do an effective job of characterizing how important your special bug was, it’s because we didn’t.”
Now onto the nominees, in list format for brevity. First comes the name of the bug; then the nominee; and then a brief explanation of what it is, all separated by semicolons. Where it exists, commentary appears at the end of the bullet item.
Best Desktop Bug
- CountExposure; @b2ahex; CVE-2022-22036, “Sneaky malware has found a new playmate for local privilege escalation and sandbox escape adventures!” Of its importance, d’Antoine said, “It’s the first bug that’s been released at least in the last decade about performance counters in Windows.”
- LPE and RCE in RenderDoc, CVE-2023-33865 & CVE-2023-33864; the Qualys team; “A reliable, one-shot remote exploit against the latest glibc malloc” “I think the cool thing to shout out here is Qualys has made Pwnie nominations for at least the last five years,” said d’Antoine. “They do some great work.”
- CS:GO: From Zero to 0-day; @neodyme; used logic bugs to RCE Counter Strike. “Why hack for money when you can hack for Internet points?” d’Antoine asked rhetorically.
Best Mobile Bug (Lol RIP)
For this category, the spreadsheet had two entries:
- “yall didn’t nominate anything lmao”
- “no hit pieces implying we support NSO Group this year sorry Vice.”
The first entry is pretty clear. As d’Antoine explained, “Over the last few years, we’ve seen a decrease in the amount of bugs nominated for the Pwnie Awards, but also just publicized online, related to mobile specifically.”
The second is more cryptic. It apparently alludes to this Vice article from 2022, as the writer of that piece pointed out from what looks like the fifth row at Summercon. One might have to squint to see this as implying a favorable opinion of NSO Group, though.
Best Cryptographic Attack
- Practically exploitable cryptographic vulnerabilities in Matrix; @martinralbrecht and @claucece; vulns in Matrix standard for federated real-time communications and especially the flagship client, Element. The two hosts seemed to exaggerate their ignorance of this category. d’Antoine ventured, “We know they’re widely used software for encrypted communication,” while Roos said, “We’ve seen it mostly about Al Qaeda.”
- MEGA: Malleable encryption goes awry; Matilda Backendal, Miro Haller, Prof. Dr. Kenny Paterson; “five devastating attacks which allow for user data to be decrypted and modified. Additionally, attackers have the ability to inject malicious files into the platform which the clients will still authenticate.”
- Video-based cryptanalysis: Extracting Cryptographic Keys from Video Footage of a Device’s Power LED; Ben Nassi; “new cryptanalytic side-channel attack using the RGB values of the device’s LED.” Roos said, “This is a really cool one. They basically recorded an LED on a phone, and then through the RGB values, were able to cryptographically break it.”
Best Song
Roos apologized for not having the time to play the songs, then offered to beatbox them before demurring, “I know I’m dressed for the part, but it’s not going to deliver.”
“Shout out to Hugo [Fortier] from Recon for taking the time to submit, like, 10 songs in this category,” D’Antoine said. “It takes the community to make the Pwnie Awards happen.”
Most Innovative Research
As Roos pointed out, “A lot of these were from Recon as well.”
- Inside Apple’s Lightning: Jtagging the iPhone for Fuzzing and Profit; @ghidraninja; Thomas [Roth] developed an iPhone JTAG cable called the Tamarin Cable and a Lightning Fuzzer. https://www.youtube.com/watch?v=8p3Oi4DL0el&t=1s That video is no longer available, according to YouTube, but you can still view Roth’s DEF CON 30 presentation.
- Single Instruction Multiple Data Leaks in Cutting-edge CPUs, AKA Downfall; “Some google people”; “EMBARGO’d LOL” — Tuesday, Aug. 8, 2023 — will be presented at Black Hat 8/9 and Usenix 8/11. Roos noted that the embargo lifts on Tuesday and the awards are the next day, which limits the practicality of voting for it.
- Rowhammer Fingerprinting; Hari Venugopalan, Kaustav Goswami, Zainul Abi Din, Jason Lowe-Power, Samuel T. King, Zubair Shafiq; Centauri — Rowhammer Fingerprinting https://arxiv.org/abs/2307.00143
Most Under-Hyped Research
- LPE and RCE in RenderDoc, CVE-2023-33865 & 33864; the Qualys team; “A reliable, one-shot remote exploit against the latest glibc malloc, in 2023! Plus a fun local privilege escalation involving XDG and systemd.” This is a repeat from the Best Desktop Bug category. D’Antoine said, “The days of one-shot RCEs are few and far between now, and this is one of the few that we’ve seen, at least this year.”
- Activation Context Cache Poisoning; Simon Zuckerbraun at Trendmicro; “This nomination highlights a new class of privilege escalation vulnerabilities, known as activation context cache poisoning. This technique was being actively used by an Austrian hack-for-hire group tracked by Microsoft as KNOTWEED”
- Perils and Mitigation of Security Risks of Cooperation in Mobile-as-a-Gateway IoT; Xin’an Zhou, Jiale Guan, Luyi Xing, Zhiyun Qian; “These researchers uncovered vulnerabilities that affected almost all Mobile-as-a-Gateway (MaaG) IoT devices, and created secure cryptographic protocols to help protect their users.”
Best Privilege Escalation
- URB Excalibur: Slicing Through the Gordian Knot of VMware VM Escapes; @danis_jiang, @0x140ce; “This team successfully performed VM escapes across all VMware virtual machine products: Workstation, Fusion, and ESXi (within the sandbox), making it the only VMware VM escape at pwn2own last year.” Roos said, “I love this because VMware escapes are really difficult, and these guys managed to find one. … It’s very hard work to do, they pulled it off – props.”
- Bypassing Cluster Operation in Databricks Platform; Florian Roth and Marius Bartholdy at Sec-Consult “(Shout out for nominating yourselves 12 times guys)”; “A low-privileged user was able to break the isolation between Databricks compute clusters within the boundary of the same workspace and organization by gaining remote code execution. This subsequently would have allowed an attacker to access all files and secrets in the workspace as well as escalating their privilege to those of a workspace administrator.” D’Antoine advised dryly, “You’re supposed to get other people to at least pretend to nominate you.”
- UNCONTAINED: Uncovering Container Confusion in the Linux Kernel; Jakob Koschel, Pietro Borrello, Daniele Cono D’Elia, Herbert Bos, Cristiano Giuffrida; “UNCONTAINED discovers and analyzes container confusion: a novel class of subtle type confusion bugs. Caused by the pervasive (and barely studied) introduction of object-oriented features in large C programs, for instance using the common CONTAINER_OF macro in the Linux kernel, they provide a new and fertile hunting ground for attackers and additional grief for defenders.” Roos and d’Antoine remembered that members of this group won twice last year, for Best Desktop Bug and Most Innovative Research.
Best Remote Code Execution
- Unveiling Vulnerabilities in Windows Network Load Balancing: Exploring the Weaknesses; @b2ahex; CVE-2023-28240, “This vulnerability allows remote code execution without requiring any authentication.”
- ClamAV RCE (CVE-2023-20032); @scannell_simon; “ASLR bypass technique enabling 0 click server side exploits”
- Checkmk RCE chain; @scryh_; “It all starts with a limited SSRF and ends in a full-blown RCE after chaining 5 vulnerabilities. Rather uncommon in the web world!”
Lamest Vendor
- Authentication Bypass in Mura CMS; Mura Software; “Mura Software claims credit for the bug disclosed to them (not by them) and charges customers $5000 to fix it.” https://hoyahaxa.blogspot.com/2023/03/authentication-bypass-mura-masa.html. The crowd booed when Roos read the blurb out loud.
- Pinduoduo or “TEMU stands for Team Up, Exploit Down”; PinDuoDuo; “Pinduoduo got knocked off the Android store for installing literal backdoors into their own app to spy on their users. After being exposed by multiple media and security companies, Pinduoduo denied all the accusations and blamed Google for taking it off the Play Store, yet quickly and silently deleted all the malicious code and disbanded the team working on it.” Even CNN picked up the story.
- Three Lessons from Threema: Analysis of a Secure Messenger; Threema; “Threema posted a rather cranky blog post dunking on some vulns reported by a student’s masters thesis at ETH Zurich.” Roos called Threema’s response “punching down.”
Most Epic Fail
- “holy … bingle we have the nofly list”; The Transportation Security Administration; “The notorious queer anarchist hacker Maia Crimew discovered the entire TSA no fly list lying around on the internet and had the good graces to let everyone know about it.” Roos asked, “Did anyone else, like, search for themselves? Did anyone find themselves? No? All right.”
- “I Was Sentenced to 18 Months in Prison for Hacking Back”; Jonathan Manzi; “This guy retaliated against an employee quitting by hacking and defaming him and his new employer. The wild ride concludes with the author having a come to God moment with a homeless person and some cringe metaphors about quantum mechanics. He seems relatively unrepentant and should probably be sent back.” Of Manzi’s blog post, d’Antoine allowed, “It’s worth a read.”
- The disreputable … Jonathan Scott; Jonathan Scott; “‘The only reason he hasn’t violated FARA is because he’s probably too stupid to be a foreign agent in the first place.’ – A Pwnie consultant.” Roos said, “We were thinking of asking him to stop tweeting. Maybe we all should.”
Epic Achievement
- Found lots of 0 day; @_clem1; Clement [Lecigne] burned 33 in-the-wild 0-days since 2014 and has found 8 0-days already so far this year. D’Antoine pondered, “If you find it in the wild, I don’t know if that counts as your bug or not. Finders keepers, maybe? I don’t know.”
- Branch History Injection (BHI / Spectre-BHB); Someone at VUsec?; “The BHI / Spectre-BHB research by VUsec showed one can microarchitecturally tamper with the Branch History Buffer (rather than the Branch Target Buffer) to still leak arbitrary kernel memory from unprivileged user using a Spectre v2-style attack.”
- Compromise of the whole PHP supply chain, twice; @swapgs; “Pwning Composer which serves 2 billion software packages every month. More than a hundred million of these requests could have been hijacked to distribute malicious dependencies and compromise millions of servers.” https://www.sonarsource.com/blog/securing-developer-tools-a-new-supply-chain-attack-on-php/
Lifetime Achievement Award Winner: Mudge
Last year, the team presented an extra statuette to Dino Dai Zovi, founder of the Pwnie Awards, as the ceremony’s first lifetime achievement award. “We decided we’re going to keep doing that,” Roos said in Brooklyn last week. “If you haven’t already guessed, we’re going to give the 2023 Lifetime Achievement Award for the Pwnie Awards to Mudge. Where’s Mudge? Is he in the green room?”
D’Antoine added, “We know he’s here.”
After a few moments, Mudge — sometimes called Peiter Zatko, the L0pht hacker who grew up to work for DARPA, Google, Stripe, and, most notoriously, Twitter, before accepting his current role at Rapid7 — came out from backstage, wearing a short-sleeve raglan tee and black jeans.
Roos said, “This is a lifetime achievement award for everything you’ve done to create the industry and put it into a place where it exists and it’s real. So, thank you.”
Mudge hugged Roos, then held up his Pwnie and said (off mic) “Thank you.”
On mic, Mudge said, “It’s the community, and it’s everybody else who’s enabled all of this, and I love this community. This means a lot to me. … You’ve always been there, and I hope I’ve been there for you.”
Read More HERE