The Right Honorable Pwnies Judiciary Committee does herewith set forth the following 2019 PWNIES AWARD NOMINATIONS for your perusal and the enablement of the SACRED ANNUAL PWNIES VOTING CEREMONY (candles and Eyes Wide Shut masks not provided).
pwnie for best server-side bug
Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.
Credit: Orange Tsai, Mikhail Egorov, George Noseevich
It’s hard to believe that there hasn’t been a pre-auth RCE in Jenkins since 2017. But that was true, until Orange Tsai chained several bugs and abused the Groovy metaprogramming to get code execution.
Mikhail Egorov and George Noseevich improved and simplified the exploit with higher level entry points and a sandbox escape.
Because it’s easy-to-use, there are several crypto miner bots spreading via this bug.
Pulse Secure SSL VPN (and others!)
Credit: Orange Tsai & Meh Chang
Pulse Secure is apparently leading SSL VPN vendor. Itss SSL VPN was used by Twitter, Uber, Microsoft, sla, SpaceX, probably that weird flamethrower company Elon Musk started, Akamai, Intel, IBM, VMware, e US Navy, the Department of Homeland Security, and, like, half of all Fortune 500 companies.
Orange Tsai and Meh Chang broke other SSL VPNs, and those breaks were nominated too, and so for the purposes of voting, we think you should just take this as “Orange Tsai and Meh Chang broke most of the SSL VPNs”.
Credit: Qualys Security Advisory Team
The Return of the WIZard: RCE in Exim: a non-memory-corruption RCE flaw in C code, in 2019. And just like in the 90s, it takes a whole week for the exploit to finish.
Xiongmai IP Cameras
Credit: Stefan Viehböck
Millions of Xiongmai XMeye P2P cloud IP cameras can easily be hacked via multiple security issues. Default creds chained with unsigned firmware updates led to millions of webcams becoming vulnerable to complete takeover.
Waking up to find millions of Windows hosts vulnerable to a pre-auth UAF vulnerability can make you feel like you’re back in tha aughts, or at least back to 2017 (thanks, Shadowbrokers!).
Instead of being shocked and horrified that SMB servers are still internet exposed and vulnerable, this trip down memory lane has us strolling through RDP.
WordPress Path Traversal
Credit: Simon Scannell
Chained WordPress path traversal and local file include vulnerabilities, involving the old “graphics image with PHP inside”, leads to a (post-auth) RCE that’s been present in WordPress core for 6 years.
pwnie for best client-side bug
Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting client-side bug.
A Very Bad WhatsApp Vulnerability That Shall Remain Nameless Because Nobody Named It
Credit: Natalie Silvanovich
Given the ubiquitiy of WhatsApp, good WhatsApp remotes are nearly the mobile-phone equivalent of SSH remotes - just with a larger, more vulnerable and more poorly audited codebase (and onw partially based on irregularly maintained open-source libraries). Natalie slogged through the pain to get a testing setup, and then found this bug.
A More Different WhatsApp Vulnerability That EFF Announced In May
Credit: Nobody’s Saying Openly
They say that the true test of a bug is whether it is actually useful and productionizable. This particular bug was apparently used in the wild. Given that WhatsApp is probably the most widely-used messenger worldwide, we’re looking at the thing that every attacker dreams of: Just get the phone number of a target & compromise their phone at distance.
The Horrible Facetime Group Messaging Bug
Credit: Grant Thompson & Daven Morris
There is a famous quote that some people in our community yell at exploit developers after they have spent three weeks on an exploit: ‘JUST FIND A BETTER BUG’. Exploiting this issue required no heap manipulation, or even understanding what a CPU or a buffer is. And it reminded us all: 100% reliability and ease-of-exploitation is usually in logic bugs.
Don’t look up how old Grant Thompson was when he found this. It’ll make you insecure.
Chrome Skia Convexity
Credit: Ivan Fratric
Many seasoned memory corruption veterans have a jaded air about them. They have seen it all, and truly innovative new avenues for finding and generating memory corruptions are rare. After 20 years of finding the same ‘memcpy-with-attacker-specified-unchecked-length’ bugs, a certain fatigue can set in.
At the same time, even hardened C standard nerds shy away from the insanity that is modern floating point math. Vulnerability hunters avoid FP math, since it rarely ends up influencing memory accesses anyhow.
Ivan’s bugs highlight this blind spot: They show that modern high-speed geometry rendering leads to floating-point arithmetic dictating memory writes, and that nobody really understands error propagation for floating points well enough to use them safely. Also, they led to the most aesthetically pleasing exploit write-up in recent years, and showed that geometric concepts such as ‘convexity’ are not entirely useless to the vulnerability researcher.
pwnie for best privilege escalation bug
Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting privilege escalation vulnerability. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.
Windows UAF in CreateWindowEx, disclosed by Kaspersky, which claimed that exploitation had been detected in the wild. What’s more fun than a Windows privilege escalation that is triggered by calling the Windows function used to actually create windows?”
runc container escape (CVE-2019-5736)
Credit: Borys Poplawski, Adam Iwaniuk
Out-of-container file descriptor access of the runc program executable path via procfs, allowing escalation from the container by overwriting the underlying node’s runc binary. One constraint of this vulnerability is that exploitation requires runc to be called to execute a program inside a compromised container instance, a behavior which is only frequent in environments with orchestrators like Kubernetes.
These environments are also known as “production”.
A UAF in CFPrefsDaemon on iOS, which resulted from a reference count issue handling XPC requests, can be exploited to escalate to root as part of a chain for a jailbreak.
Like many good local privilege escalations, this bug appears to also have the potential for maintaining persistence across reboots.
Adding to the excitement, according to Project Zero, this bug was exploited in the wild.
This type confusion bug in the Linux kernel TCP stack for Android was exploitable as a universal root across nine different Android devices, providing a means for escalating privileges unobstructed by any mitigations.
Credit: Qualys Security Advisory Team
The combination of a heap-based memory disclosure with stack pointer manipulation via alloca() allows for exploiting systemd’s logging process, systemd-journald, to escalate to root. In the corny fashion that the industry continues to embrace, this vulnerability was branded in an effort to promote it: “System Down”. You can have the name, Qualys, but we’re not putting it in the nomination title.
tmpreaper race (CVE-2019-3461)
tmpreaper is a tool that cleans files in /tmp that haven’t been touched in a while. During its operation, tmpreaper employed a shifty hack to determine if a directory is a bind mount by inspecting the error of attempting to move the directory within itself. This introduced a race condition, which if won, allowed an attacker to place a file anywhere on the file system, such as in a cron job directory, where it would later be executed as root.
Credit: Qixun Zhao(@S0rryMybad)
This iOS kernel UAF vulnerability affecting ipc_voucher was directly reachable from Safari, and was used to achieve a jailbreak in order to win the TianfuCup hacking contest.
pwnie for best cryptographic attack
Awarded to the researchers who discovered the most impactful cryptographic attack against real-world systems. A Pwnie Cryptography Award should represent a meaningful break in a system actually deployed. The attack can require a math Ph.D to understand its workings, but not to understand its impact, and it can’t require a data center in Utah to exploit.
“Johnny, You’re Fired”
Credit: The Deadly RUB/Munster Email Assassination Squad, Plus Hanno Bock
Encrypted email doesn’t work, and needs to die. PGP doesn’t work, and needs to die. S/MIME doesn’t work, and needs to die. Like out-of-towners holed up with a rifle in a cellar surrounding by the living dead, these researchers keep making kills, and their kills keep coming back to life.
Last year it was EFail, which (ignore anything the PGP advocates say about this) utterly and hilariously broke the confidentiality of PGP encrypted email. This year it’s Johnny, an attack on PGP and S/MIME signatures: the Ruhr team can trick you into believing you’re fired, or would be able to if anyone’s boss in the entire world ever used PGP and any employee ever checked a PGP signature.
But don’t let our jaded attitude mislead you: this is excellent research, a guided tour through everything that can go wrong with a signature system, from canonicalization to PGP’s ludicrous text-based “status line” “API” to email plugin UIs. With any luck, and the right silver alloy for RUB’s rifle shells, PGP won’t matter for much longer. But knowing how to break dumb signature schemes? That’s a gift that’ll keep on giving for years to come.
“An ice-cold Boot to break BitLocker”
Credit: Olle Segerdahl & Pasi Saarinen
The argument against voting for an attack that broke Bitlocker, and probably most other full disk encryption schemes: there’s barely any cryptography involved.
The argument for it: it broke Bitlocker, and probably most other full disk encryption schemes. Sometimes, the best way to break cryptosystems is to sidestep them.
So your vote here is another classic Pwnies epistemological challenge: what is a crypto Pwnie? What does it all mean? You can’t go wrong either way on this one.
“Scalable Scanning And Automatic Classification Of TLS Padding Oracles”
Credit: RUB, Tel Aviv, and Craig Young.
We at the Pwnies would dearly like to declare the era of the performatively recognized CBC padding oracle to be over, and to raise the metaphorical bar for real-world crypto attacks to “something more interesting than another damned padding oracle”.
This paper shows why we can’t do that and why we will be writing floridly about the most played out vulnerability in cryptography for the foreseeable future.
The lesson here might be profound (we’re making this up as we go along, bear with us): there’s a difference between knowing a crypto vulnerability exists — or even how it works — and actually being able to find and exploit it in the wild. The world is full of people who can talk about vulnerabilities but can’t break real systems.
So, while we’ve known about TLS CBC padding oracles for over a decade, it says something when a report manages to disclose new ones in high-profile targets like F5, Citrix, and even OpenSSL. Really, the scanning and analysis work this team did, no to menion the blood they left on the floor, gets to the essence of what the Pwnies seek to honor in cryptographic research.
“My Name Is [long German name] And I Can Prove It”
Credit: Wolfgang Ettlinger (@ettisan)
The German National ID card uses SAML.
The thing you need to know about SAML is it uses XML signatures, which count as possibly one of the three worst cryptographic data formats in the history of human endeavor. Or, to put a finer point on it: nobody has ever conclusively assessed the security of SAML, nobody ever will, and any use of SAML that doesn’t look perfectly identical to what an Okta IdP does to sign you into Slack is probably crawling with game-over bugs.
The German National ID scheme is not perfectly identical to what Okta does to get you into Slack. Things did not go well.
\m/ Dr4g0nbl00d \m/
Credit: Mathy Vanhoef and Eyal Ronen
There’s a backstory on this bug, which recovers passwords from WPA3 handshakes.
The WPA3 handshake relies on a PAKE (a cryptographic key exchange secured by a password) called Dragonfly. Dragonfly is the invention of a guy named Dan Harkins. Dan Harkins took it upon himself to retrofit elliptic curves onto first-generation multiplicative-group PAKEs like SRP. We’re losing you here but bear with me: there were PAKE protocols that used the same simple math as Diffie Hellman, and Dan Harkins tried to design one that used ECC. Anyways, when Harkins tried to get his new PAKE included in TLS, Trevor Perrin broke it in a mailing list post. The story goes on and involves the NSA and a bunch of intrigue and is worth looking into. Oh how we laughed.
And then WPA3 was released and, oh look, there’s Harkins’ Dragonfly protocol, right there in our wireless handshakes.
It’s pretty clear to us that the WiFi standards groups triggered some ancient mummy curse, because the WiFi standards by themselves are a master class in everything that can go wrong with a crypto protocol. And, as Vanhoef and Ronen show, WPA3 is by itself a lesson in everything that can go wrong with a single handshake: invalid curve attacks! Protocol downgrade attacks! Timing attacks! They’ll teach this one in schools, unless the WiFi people come up with WPA4 or something, which will surely be even worse.
ChromeOS U2F ECDSA
ChromeOS implements a “built-in” U2F security token, based on the ECDSA features of the Google H1 security chip.
What’s the one bug you have to watch out for in ECDSA? Right: signatures need a truly random nonce, filling the entire bit width of the number that holds it. Even a single bit of bias is exploitable.
H1’s ECDSA had more than 1 bit of bias: due to a coding flaw, it had 192 of them.
Everyone who used one of the affected chips had to unregister their security keys from every service they’d enrolled them in. Good times!
Monocypher Super-Complicated Incredibly Hard To Exploit EdDSA Vulnerability
Credit: Mike Pechkin
Elliptic curve Digital signature forgeries are fun to read about. You’ve got your integer lattices, your BKZ basis reductions, your Fourier-assisted search algorithms; it’s pretty much all there.
And sometimes you can just pass all zeroes as your signature.
Don’t use Monocypher, is what we’re saying.
pwnie for most innovative research
Awarded to the researcher or team who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.
MS Excel Power Query Allows Remote DDE Execution
Credit: Ofir Shlomo, Doron Attias of Mimecast
This research reminded me of the good old days when everyone was getting hacked with macros in MS office documents. Good times! Since then, security products have gotten better at making sure office documents are safe for our users to blindly click on.
This research cleverly uses a feature of MS Excel called Power Query to try to bypass detection from these security tools. Power Query allows a spreadsheet to embed data from other sources, including remote sources. Shiomo and Attias use this to not only add malicious data to the spreadsheet when it is opened, but also to selectively only serve up the malicious data based on fingerprinting, thus only targeting only users while avoiding sandboxes. In the end, they produced a spreadsheet that only becomes malicious when it is opened outside a sandbox and requires either a double click by a user or nothing at all on older version of Excel.
Luckily, we use a pirated version of Excel that doesn’t seem affected by this, but does seem to have a Chinese backdoor in it.
Credit: Tencent Keen Security Lab
Did Elon Musk insult the Tencent Keen Security Lab, or what? We’re not sure of the real reason, but the Tencent Keen Security Lab folks sure love to pick on Teslas.
In previous research, they showed how you could chain your way from a web browser exploit all the way to the AutoPilot ECU (APE). This research follows on to that and focuses on what an attacker can do with this level of access. They discuss the architecture of the vehicle and where the APE fits in as well as reverse a bunch of the binaries from the APE. In the end they could control the steering in certain circumstances (slow speeds or while in adaptive cruise mode). They also did some adversarial machine learning work to trick the car without any kind of exploit or access. By planting stickers on the road, they could trick the car to make a lane change.
Like, it’s not as cool as the car hacking scene from Fast and the Furious 8, but it’s still pretty solid research.
Reverse Engineering Architecture And Pinout of Custom ASICS
Credit: Thomas Weber of SEC Consult Vulnerability Lab
Most of the Pwnie award judges have a background in writing web browser exploits so it’s not always easy for us to judge innovation. Almost any hardware hacking still looks like magic to us dinosaurs.
Thomas Weber’s reverse engineering of a completely unknown chip on a Siemens S7-1200 falls into this category.
After doing some online shopping, he found an old evaluation board which showed where the JTAG pinout would be. By comparing this to the actual industrial controller, he was able to find JTAG on the actual production controller. With a little soldering action, he enabled JTAG and could perform debugging to inspect internal registers during run time. He also dumped the firmware from flash memory, boiled an IC in sulfuric acid, and other wild stuff. By the end he knew everything you’d need to know about the chip, including how you could backdoor the controller — except for real — unlike the Bloomberg story.
Credit: Brandon Falk
If you want to find vulnerabilities or otherwise analyze code at the lowest levels, you need good tools.
When we were young, and walked uphill both ways to school, we had debuggers and some basic memory shadowing tools like valgrind. These tools slow down performance by a factor of 10 or even 1000 and could only perform limited analysis.
Vectorized emulation uses modern hardware tricks to run VMs not even not slower, but actually faster than native code. It does this by rewriting a program using AVX-512 vectorized instructions which allows the simultaneous execution of 16 different VMs at near native speed. This allows for super fast differential code coverage and hardware accelerated taint tracking. Highlights include 4000 fuzz cases per second for MS Word fuzzing, as well as security bugs found in Windows Firewall, and OpenBSD’s dhclient. The author says most people shouldn’t use this tool because it is too fast and finds too many bugs!
Not that that’s a problem we’ve ever had to worry about.
Credit: Peng Cheng, Ibrahim Ethem Bagci, Utz Roedig, Jeff Yan of Lancaster and Linkoping University
Ok, you know we’re down when the paper reads like it is out of a James Bond book, or at least that in some dark corner of the NSA there is a scientist who’s pissed about it. In this paper, the researchers use speakers to emit human inaudible sounds as part of a sonar system to track victim’s finger movements. Doing this while the victim unlocks their phone doesn’t give them the exact unlock pattern but does greatly reduce the number of patterns to try. Straight off the sci-fi channel when it still played had sci fi shows, the only minor issue is they only tested it against 10 subjects and since it is an academic paper, it’s probably entirely impractical.
Credit: The NSA
We’re not sure we need much of a sales pitch for this one.
SAFE: Self Attentive Function Embedding
Credit: Luca Massarelli
SAFE applies word2vec and self-attentive RNNs (if you’re a machine learning person, you know what that means) to characterize procedures in compiled programs. The sales pitch is here is easy: it’ll spot the same function in two binaries. It’ll spot them even if they’re compiled for different architectures. You can build a search engine with it, or use it to generate signatures, or to hunt for vulnerabilities in binaries at scale.
Intel Boot Guard Bypass
Credit: Peter Bosch and Trammell Hudson
Intel’s reference UEFI was vulnerable to a TOCTTOU bug and these two researchers found it.
pwnie for lamest vendor response
Awarded to the vendor who mis-handled a security vulnerability most spectacularly.
To be announced.
pwnie for most over-hyped bug
Awarded to the researcher/team who discovered a bug resulting in the most hype on the Internets and in the traditional media. Extra points for bugs that turn out to be impossible to exploit in practice.
Credit: Peter Winter-Smith of NCC Group
By confusing the state machine, an attacker can create an SSH connection to any server running OpenSSH.
Shells are gonna be flying all over millions of machines, oh noes!
Wait, OpenSSH and libssh aren’t the same thing?
But which do I have on my servers?
(Spoiler: you do not have libssh).
Meanwhile, as ZDnet and the Register (as well as most of infosec Twitter) were melting down, the researcher confirmed that not a single host was owned by this bug.
Credit: Jatin Kataria, Richard Housley, and Ang Cui of Red Balloon Security
Let’s address the elephant in the room: this is the first and only vulnerability whose name is written with emojis.
The vulnerability itself affects Cisco devices and provides a bypass to their secure boot mechanism.
This bug got coverage in the Register, Dark Reading, ZDnet, and even Bruce Schneier’s blog (yes we’re jealous of that last one).
Hardware bugs are pretty cool, and bugs that use phrases like “anchor of trust” get me kind of excited. but when your bug requires root privileges, you’ve got other problems if attackers are using this against you.
Super Micro - The big hack
Credit: Jordan Robertson and Michael Riley of Bloomberg
China hacked all our computers by implanting a tiny chip on Super Micro’s motherboards.
A top secret probe revealed that this chip, the size of a grain of rice, could allow attackers to create a backdoor into any network that contained one of the altered machines.
The story had every buzzword that make any CISO want to retire: supply chain interdiction, state sponsored, China, Snowden. It was said to affect major banks, government contractors, and even the company they all aspire to be, Apple. This was definitely the computer security story of the year, maybe the decade, except for one small detail.
It seems it was all bullshit.
DICOM vulnerability in medical devices
Credit: Markel Picado Ortiz of Cylera Labs
DICOM is a file format for the storage of medical images. It is possible to make a valid DICOM file that is also a Windows executable file. This vulnerability got some love in SecurityWeek as well as a variety of health care news sites. Mitre gave it a CVSS score of 9.3. We guess they’d rate most issues of POC||GTFO a 10.0, then.
Anyway, the attack is to upload this polygot DICOM file to a medical device and then trick the device into executing the file it thinks is a medical image? Seems legit.
pwnie for most epic fail
This award is for the defenders who dared to wonder, “What could possibly go wrong?” For the investors who happily departed with eight-figure checks for a pitch presenting snake oil served over word salads on a fool’s gold platter. For the infosec vendors who adopted defense-by-deception as a marketing strategy. This award will honor a person or corporate entity’s spectacularly epic fail – the kind of fail that lets the entire infosec industry down in its wake. It can be a singular incident, marketing piece, or investment – or a smoldering trail of whale-scale fail.
One might assume that a major PC vendor’s remote update services would be painstakingly tested and monitored – but alas, we are relegated to the worst timeline. Attackers backdoored ASUS’s Live Update utility to target a set of users (based on hardcoded MAC addresses), with millions of other users caught in the fray. Deemed “Operation Shadowhammer,” these malicious updates used legitimate certificates and were hosted on the official ASUS update servers, too. While ASUS fortunately responded quickly once notified, it is fair to wonder how such severe abuse of critical functionality went unspotted for half a year.
An unwritten rule of modern life is “Never claim your technology is unhackable.” BitFi, backed by bath salt connoisseur John McAfee, broke this rule last year, deeming themselves “the world’s first unhackable storage for cryptocurrency.” They offered $250,000 to anyone who could prove otherwise – but mysteriously, this reward never materialized for the numerous researchers who went on a pwning spree with BitFi’s wallet. BitFi first attempted denial, but quickly resorted to slandering and threatening the researchers. Even now, they continue the quest to prove themselves as unhinged as their backer, desperately lashing out at anyone who dares observe that BitFi’s cryptowallet is more sieve than “fortress.”
As a resident of the infosec industry, it’s fair to wonder whether words still mean things – and Bloomberg’s cybersecurity reporting is Exhibit A to support the conclusion that they don’t. Beginning with a juicy, bloated entrée, “The Big Hack,” Bloomberg didn’t back down as security experts called them out for their less than rigorous reporting. For dessert, Bloomberg decided to die on the barren hill that end-to-end encryption is a “gimmick” because of a WhatsApp vulnerability (exploited by fellow nominee, NSO Group). It’s one thing to use a term like “cyber weapon” in an article, but it’s another thing to let down an entire industry not once, but twice in a year.
As if our eyeballs were not sufficiently cursed by Darktrace’s lurid ads in airports, corporate magazines, and conference halls, Vitruvian Partners, KKR, and 1011 Ventures decided to pour $50 million as fuel for the cyber AI tire fire. At a valuation of $1.6 billion, Darktrace was cemented as a unicorn – one that races around our industry brandishing its pestilent horn, piercing the sanity of all who abide by reason and logic. We can only hope this is a social experiment to see how willingly CISOs will glug festering snake oil for the chance at free fancy dinners and tightened khaki pants at each mention of autonomous AI.
Since BlackHat USA 2018, Facebook was deemed a “useful instrument for spreading hate” by the UN, security issues with Facebook access tokens exposed 50 million accounts, the New York Times meticulously exposed problematic decision-making by Zuckerberg and Sandberg regarding Russian election interference…and also exposed data-sharing relationships largely unknown by users, millions of Instagram passwords were discovered to be stored in plaintext for years, $3 billion was set aside to cover anticipated FTC fines over privacy issues, Apple blocked Facebook’s developer-signed iOS apps because they paid teenagers to download their “research app” and hoovered up the user data – and Mark Zuckerberg declared that the “future is private,” forgetting that he does not, in fact, possess the ability to perform Jedi mind tricks.
Whenever someone says that technology cannot be hacked, you can be certain that it absolutely, positively can be hacked. The Election Commission of India (ECI) made such claims regarding the Electronic Voting Machines (EVMs) used in India’s general elections – specifying they “firmly believe that EVMs are very good machines.” However, belief is not substitutable with fact, and reports of widespread malfunctioning during the election sowed the seeds of doubt and distrust. With the recent reveal that EVMs use reprogrammable chips (contrary to prior claims), the ECI’s continued silence regarding security concerns suggests they are living in their own version of reality.
In the immortal words of Lil Wayne, “Be good, or be good at it.” NSO Group learned the hard way that the business of cyber surveillance is one that should perhaps not seek the spotlight – and clearly missed the memo that facilitating human rights abuses is for basic bitches. Investors largely said “hard pass” when NSO’s management team sought funds to buy the company back from the private equity firm that bought it in 2014. As a result, the banks underwriting the loan sold it at a steep discount – a valuable lesson that greasing the wheels of dystopia doesn’t always pay off.
What happens when a former Symantec employee whistleblows about fluffed up financials meant to help executives earn fat bonuses? An ongoing SEC investigation and the resignation of the CEO and CFO implicated in the nefarious scheme – and mysteriously weaker financial performance after the shady accounting practices were rectified. It’s one thing for Symantec to cling to their brand name to hawk their hollow, moldering wares, but accounting fraud is a nasty level of desperate.
new! pwnie for most under-hyped research
Like good magicians our industry will put a lot of razzle dazzle on the problems we can sell a solution for. But what about the things that are DONTFIX, can’t be scanned for, but are still amazingly cool and high impact? We (as an industry) sweep them under the rug and then they get caught in the UNDERHYPED pwnie awards!
Credit: Jatin Kataria and Red Balloon Security
Exciting Pwnies twist! The judges are presented with a real dilemma, as Thrangrycat is nominated not just for most overhyped, but also most underhyped! It can only be one, right? (It can totally be both).
As previously noted: Jatin Kataria and Red Balloon Security released a bug named after three emojis. Literally three angry cat emojis. This is just being abusive of the system.
Nonetheless, the bugchain allowed you to own Cisco Routers. Part of the fun here is modifying the FPGA anchor bitstream, which lives in an unprotected flash RAM, as you would expect.
MS Excel Power Query Allows Remote DDE Execution
Credit: Ofir Shlomo, Doron Attias of Mimecast
Doron Attias from MimeCast, a company we’ve never heard of before — which is fine, who can keep up these days? It’s like a feeding frenzy mixed with a tulip bubble mixed with whatever blockchain hyperbole is the new thing.
We digress. We’re not saying you should use Square as your payment system, but the other point of sales systems are basically just Windows CE with a shiny GUI. Where were we?
It turns out DDE and the way Excel uses it continues to be…not great. Look, this doesn’t start out as news. But it turns out that there’s nothing that can’t be made worse by adding Powershell to it, and so of course, Microsoft added Powershell to DDE and you get thing thing called “Power Query” which is a terminology that should only be used by the SCADA/ICS/OT world, or a Marvel Avengers fanfic when arguing over who can lift more weight, Captain America, or SpiderMan. Canonically the answer is SpiderMan, obviously. I’m not going to lie - the advisory they wrote is pretty awesome…and Microsoft designated this a “Won’t Fix” which really means a “Maybe Fix Later if People Complain a Lot, LoL.”
Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory
Credit: Elad Shamir of Shenanigans Labs
Look, codenames are not that hard.
You take any two five letter words, make sure they are not related to your bug, and put them together in all caps.
Nothing is gained by calling your exploit “Wagging the Dog” unless it is a bug in TAILS, but even that is not so much “funny” as “kinda annoying”.
Right up front in the advisory, which is roughly the length of a Neal Stephenson novel, Elad says “You don’t have time, or the brain size necessary to read this article, so I will summarize it for you in a couple bullet points that you also will not understand.” He was not wrong. His work is like a PhD in how everyone should uninstall Active Directory and go back to using Novell. And we’ve used Novell, and also SunOS ADB.
“No implementation, no bugs?” PROVEN FALSE.
CI system attacks
Credit: Justin Gardner (@Rhynorater), Corben Leo (@hacker_), and EdOverflow (@EdOverflow)
Some neat work (that nobody read) on continuous integration systems, as part of a bug bounty effort. As Dave once said, bug bounty hunters are the cave crickets of exploitation. To be fair, owning people’s source code repositories is pretty useful and if we can get through an hour of Black Hat without someone yelling “SUPPLY CHAIN ATTACKS” into a microphone, then that would be great. It’s still hard to give anyone any credit when their goal is bug bounties.
Exploiting Deserialisation in ASP.NET via ViewState
Credit: Soroush Dalili (@irsdl)
If you’re SYSTEM for 1 minute on any IIS server you’re SYSTEM forever, remotely. Sometimes the pitch just writes itself.
Soroush Dalili (@irsdl) – سروش دلیلی is hardly the first, but they certainly did a ton of work to publicize how if you have 5 minutes on an IIS server and can grab the machine key, then you can use deserialization to get into that box forever. To be honest, our friends would prefer Microsoft didn’t change this from a “Won’t Fix”, but for those of you who DON’T work at Microsoft, read his highly educational blog.
On the other hand, if your name is “Dave Weston” or “Matt Miller” than we would highlight that your current mitigations are WORKING VERY VERY WELL. No need for any more. K thx.
Confluence WebDAV and Widget Connector vulnerabilities
Credit: Shubham Shah from Assetnote (https://assetnote.io) and Orange Tsai from DEVCORE (https://devco.re).
Like Orange Tsai, Atlassian Confluence is everywhere, and getting owned. Wait, the last part is probably unlike Orange Tsai.
RCE in Qt5-Based GUI Apps
Credit: Ziad Badawi (?) Daley Bee and Dominik Penner (?)
These researchers owned everyone who had Fortnight installed by using a URLHandler exploit like they were from the 90’s. The Bug is in QT5, which we had no idea was still being used by Epic Games (and everyone else) to build software. But it is. And so he owned everyone and now has all the winner winner chicken dinners or whatever.
new! pwnie for epic achievement
Awarded to the researchers, attackers, defenders, executives, journalists, nobodies, randos, or trolls for pulling off something so truly epic that we couldn’t possibly have predicted it by creating an award category that did it justice.
The Cult of the Dead Cow landing one of their own as a US Presidential candidate is a spin on the Manchurian Candidate that we can get behind. We can’t wait to see his cabinet picks (DilDog for US CTO, Mudge for Cyber Czar!).
We have no idea how this was achieved, but apparently Ghidra used to be classified and now it’s on GitHub (intentionally, that is).
We all know that passwords suck and pretty much all of ours have been stolen many times over. While we can also argue about how quantum resistant the crypto in our also not tamper-responsive physical security tokens are, Google went and shipped WebAuthn to over a billion users in Android 7. It turns out that a lot of people need to log into stuff from their smartphones (who knew?!?). Helping a billion users ditch their passwords for the accounts they use to reset the passwords for every other account is pretty epic.
How much information about a bug can you fit in one sentence? Ask Steve Christey Coley, the single most prolific CVE entry writer on the planet. Sure, it was his day job, but Steve went above and beyond, spending over a decade writing dense dialect to define and de-duplicate bug reports for defense. Cataloging bugs may not be as sexy as finding them and making fun of bad vendor responses, but we all benefit from this basic identification infrastructure. Steve is a prominent member of the community and pays particular attention to gender inequity and other issues on the human side of infosec.