Pwnie Awards 2012 nominees announced

The 6th edition of “The Pwnie Awards” will have its awards ceremony at the BlackHat USA conference in Las Vegas, the 25 July. Pwnie Awards celebrate the achievements and failures of security researchers and the security community.

In the 2012 edition they’re will be nine award categories:

  • Pwnie for Best Server-Side Bug
  • Pwnie for Best Client-Side Bug
  • Pwnie for Best Privilege Escalation Bug
  • Pwnie for Most Innovative Research
  • Pwnie for Lamest Vendor Response
  • Pwnie for Best Song
  • Pwnie for Most Epic FAIL
  • Pwnie for Epic Ownage

Nominees for these categories have been announced the 21 July. I will do a quick recap on the “Best Server-Side Bug“, “Best Client-Side Bug” and the “Best Privilege Escalation Bug“.

Pwnie for Best Server-Side Bug

Nominees for this category are listed here under. My vote will go to “WordPress Timthumb Plugin ‘timthumb’ Cache Directory Arbitrary File Upload Vulnerability” due to the impact of this vulnerability in term of number of botnets and owned servers.

TNS Poison Attack (CVE-2012-1675)

This vulnerability was discovered and reported to Oracle by Joxean Koret in 2008. Oracle had announce, in April CPU, that the vulnerability were fixed, but after releasing details of the vulnerability Joxean Koret had discover that the vulnerability were not fixed at all. Here under a video demonstration of the MITM attack.

ProFTPD Response Pool Use-after-Free (CVE-2011-4130)

This vulnerability was discovered and reported by an anonymous researcher in October 2011 and patched in November 2011. The vulnerability allows remote attackers to execute arbitrary code. Authentication is required to exploit this vulnerability in order to have access to the ftp command set.

“Are we there yet?” MySQL Authentication Bypass (CVE-2012-2122)

This vulnerability was discovered and reported to Oracle by Sergei Golubchik in April 2012. The vulnerability exploits a password bypass weakness in MySQL. Here under a video demonstration of the attack.

WordPress Timthumb Plugin ‘timthumb’ Cache Directory Arbitrary File Upload Vulnerability (CVE-2011-4106)

Since the discovery of the WordPress TimThumb vulnerability in August 2011 by Mark Maunder, the vulnerability has been used as botnet recruitment vector, and has now spread in multiple botnets. Hundreds of WordPress blogs have been hacked, allowing potential infection of the blogs visitors, diffusion of spam and phishing campaign, DDoS, hack of other web sites (such as About.us domain name registrar), etc, etc. Some of these infected WordPress were controlled by well-known C&C servers used and shared by black hats from around the world.

Pwnie for Best Server-Side Bug

Nominees for this category are listed here under. My vote will go to “MS11-087: Unspecified win32k.sys TrueType font parsing engine vulnerability” cause this vulnerability demonstrate clearly that bad guys are always in advance.

Pinkie Pie’s Pwnium Exploit

Pinkie Pie’s exploit took a chain of six different bugs in order to successfully break out of the Chrome sandbox.

Sergey Glazunov’s Pwnium Exploit (CVE-2011-3046)

Sergey Glazunov’s exploit took a chain of at least 14 bugs to successfully sidestep the browser’s sandbox.

MS11-087: Unspecified win32k.sys TrueType font parsing engine vulnerability (CVE 2011-3402)

CVE 2011-3402, patched by MS11-087 in December 2011 ,was found exploited in the wild by Duqu malware.

Flash BitmapData.histogram() Info Leak (CVE 2012-0769)

CVE 2012-0769 was discovered by Fermin J. Serna of the Google Security Team and corrected in APSB12-05.

iOS Code Signing Bypass (CVE 2011-3442)

This vulnerability was discovered by Charlie Miller of Accuvant Labs and corrected in iOS 5.0.1 release. This vulnerability is a code signing bypass that allows third-party apps to dynamically download and execute code and use this in his rogue app.

Pwnie for Best Privilege Escalation Bug

Nominees for this category are listed here under. My vote will go to “Xen Intel x64 SYSRET Privilege Escalation” cause this vulnerability has impacts tones of products and vendors.

Xen Intel x64 SYSRET Privilege Escalation (CVE-2012-0217)

This vulnerability was discovered and reported to vendor by Rafal Wojtczuk. Successful demonstration of this vulnerability was provided by fail0verflow the 2012-07-05. Here under a video demonstration of the attack.

iOS HFS Catalog File Integer Underflow (CVE-2012-0642)

This vulnerability was discovered by pod2g, used in Absinthe iOS 5.0/5.0.1.

MS11-098: Windows Kernel Exception Handler Vulnerability (CVE-2011-2018)

CVE-2011-2018, patched by MS11-098, was discovered and reported to the vendor by Mateusz “j00ru” Jurczyk.

VMware High-Bandwidth Backdoor ROM Overwrite Privilege Elevation (CVE-2012-1515)

CVE-2012-1515, patched by MS12-042 and by VMSA-2012-0006.2, was discovered and reported to vendors by Derek Soeder.