2008 Pwnie Award nominees announced

Well, after getting 134 nominations, and spending countless hours pulling out nominees, the judges for the 2008 Pwnie Awards have announced the final nominees to be voted on.  From the site:

The final list of nominees for the nine Pwnie Award categories is finally published. We've received some really good submissions and it was not an easy task to narrow them down to five nominees per category, but we hope that we've done a good job. The next step for the Pwnie Awards judges will gather in an undisclosed location prior to the award ceremony and vote on the winners.

I'm especially excited about this, since Rob Carter, Billy Rios, and I were nominated for the Best Client-Side Bug for our URL and protocol handling flaws research; which just seems to never end by the way (and keeps continuing... see a future talk we will put on at some Black Hat down the road).  We're up against some stiff competition though, including my fellow Ernst & Young Advanced Security Center co-worker Nitesh Dhanjani, which makes it a great year for EY with three current (myself, Rob Carter, and Nitesh Dhanjani) and one former member (Billy Rios) involved in the pwnies. For more, read-on! Best Client-Side Bug:

• Multiple URL protocol handling flaws

  Discovered by: Nate McFeters, Rob Carter, and Billy Rios

  Not just a few vulnerabilities, but an entire attack vector, URI protocol handler flaws pitted web browser and application vendors against each other as one web browser was exploitable through another and each vendor blamed the other for the vulnerability.

• Slirpie

  Discovered by: Dan Kaminsky, RSnake, Dan Boneh

  Presented at Toorcon 2007, this attack used DNS Rebinding to bypass the Same Origin Policy and build a tunnel into a remote network using only a lured web browser (and its associated grab bag of Web 2.0 technologies like Flash, Java, and Javascript). This vulnerability can best be described as a design bug in the Web 2.0 and we're all waiting for it to be fixed in Web 2.0 Service Pack 1.

• Safari carpet bomb (CVE-2008-2540)

  Discovered by: Laurent Gaffié, Nitesh Dhanjani and Aviv Raff

  Nitesh Dhanjani discovered a design error in Safari that allows an attacker to automatically download files to the user's configured download directory (~/Downloads on Leopard, the desktop on previous versions of OS X and Windows). This can be used for a variety of attacks. First, you can litter the user's desktop with files or drop malware onto their desktop, hoping that the user will click run it. Or you can just let Internet Explorer load a planted DLL automatically. This vulnerability also has the dubious distinction of bringing the term "blended threat" into the security vernacular.

• Adobe Flash DefineSceneAndFrameLabelData vulnerability (CVE-2007-0071)

  Discovered by: Mark Dowd and wushi

  This vulnerability requires no introduction. Independently discovered by both Mark Dowd and wushi of team509, this vulnerability showed how what appeared at first to just be a NULL-pointer dereference could be manipulated into yielding reliable cross-version remote code execution . For an excellent summary of the vulnerability and discussion on proper handling of malloc() return values, see the Matasano blog . This vulnerability was also used in a mass SQL-injection assisted malware attack in late May 2008 that resulted in much security industry drama and at least a few stolen World Of Warcraft passwords. The fact that Adobe took 15 months to patch this vulnerability suggests that they believed it to be a non-exploitable NULL-pointer dereference. Oops.

• QuickTime (CVE-2008-*)

  Discovered by: everybody and their mom

  No, this nomination is not for a vulnerability in Apple QuickTime, it is for QuickTime itself as a client-side vulnerability. A quick search of CVE entries yields 62 vulnerabilities in Apple QuickTime just in the last two years. The discoverer of the next QuickTime bug wins a free trip to the salad bar. Who would have thought that putting code originally written in the early nineties into a web browser would be a bad idea?

I don't like the idea of going up against QuickTime as a vulnerability... 62 instances of vulnerabilities in the last two years is unbelievable.  I discussed the Safari Carpet Bomb attack and other attacks it has been involved with on the blog already, and I think it a very interesting attack.  Slirpie was of course an interesting attack vector, and the Dowd report is something that had myself and other researchers giggly with excitement, as it is a technical marvel.  Other nominees in other categories are also really interesting and some have really caught my attention, such as: Most Innovative Research:

• Application-Specific Attacks: Leveraging the ActionScript VM

  Mark Dowd

  Mark Dowd exploited a NULL pointer dereference in the Flash runtime to desynchronize the ActionScript bytecode verifier, inject malicious bytecode instructions and finally execute x86 shellcode. The combination of techniques used by Dowd is beyond anything seen before. The details of the exploit are published in a 25-page paper and explained for non-exploit writers in a Matasano blog post.

I discussed this at length on the blog, this research was unbelievable, which is why it is up for two pwnies (Most Innovative and Best Client-Side Bug).  I still read it and try to puzzle out how Dowd approached the problem and what he might have been thinking at various stages of his research. Mass 0wnage Award:

• XSS of the entire web for users of Earthlink, Comcast and Verizon

  Discovered by: Dan Kaminsky

  Dan Kaminsky discovered that many ISPs that hijack non-existent domains to serve ads are vulnerable to cross-site scripting attacks, allowing an attacker to compromise any website on the Internet. Dan gets bonus points for using a Rickroll to demonstrate the bug.

• SQL injection in more than 500,000 web sites

  Discovered by: Rain Forest Puppy back in 1998

  SQL injection attacks are not new, but this year we saw an upsurge in the number of automated attacks against vulnerable websites. Reportedly more than half a million websites were compromised.

• Windows IGMP kernel vulnerability (CVE-2007-0069)

  Discovered by: Alex Wheeler and Ryan Smith

  Not only did Alex Wheeler and Ryan Smith lay claim to a lucky CVE number, they also laid down the law with a remote kernel code execution vulnerability that was exploitable in the default firewall configuration on Windows XP, 2003 and Vista. Despite the SWI team's claim that its exploitation is "unlikely in real-world conditions", Kostya Kortchinsky was able to develop a highly reliable exploit for this vulnerability.

The XSS flaw is what Dan Kaminsky discussed at ToorCon Seattle this year, and the talk was truly impressive, both in it's scope of exploitation and in it's trivial nature.  Obviously, with the SQL injections, we've seen a huge number of attacks this year, including automated wide-scale attacks.  I loved the Windows IGMP flaw, because it just goes to show that you can't take a flaw for granted... some researcher or hacker somewhere will find a way to make the exploit happen (case in point, Dowd's madness). Best Server-Side Bug:

• SQL Server 2005 (CVE-2007-4560)

  Discovered by: Brett Moore

  Just in time for the Pwnie nominations to close, Brett Moore and Microsoft bring you the first security bulletin affecting SQL Server 2005. This vulnerability, exposed to an unprivileged SQL user, occurs when SQL Server attempts to restore a corrupt database backup. The database backup may be hosted on a remote SMB or WebDAV server, making this a remote code execution exploit that can also be triggered through a SQL injection vulnerability. The best part is from Insomnia Security's advisory:

  SQL server appears to use its own dynamic heap management, which makes exploitation different from a standard heap overflow. Using a custom heap management routines means that the standard heap protections mechanisms are not in place.

  If this vulnerability wins a Pwnie, we will ask David Litchfield to come up on stage and present it to Brett.

Come on now, custom heap management routines... great research, and I wonder how much time he spent getting it working.  Also, if he wins, we get to see the Jedi Master David Litchfield present the award, as he confirmed today on Full-Disclosure he would present it if Brett wins. Lamest Vendor Response:

• McAfee's "Hacker Safe" certification program

  XSS vulnerabilities in multiple sites certified as "Hacker Safe"

  More than 60 web sites certified to be "Hacker Safe" by McAfee's ScanAlert service were reported as vulnerable to XSS attacks, including the ScanAlert web site itself. Joseph Pierini, director of enterprise services for the "Hacker Safe" program, maintains that XSS vulnerabilities can't be used to hack a server:

  Cross-site scripting can't be used to hack a server. You may be able to do other things with it. You may be able to do things that affect the end-user or the client. But the customer data protected with the server, in the database, isn't going to be compromised by a cross-site scripting attack, not directly.

• Wonderware

  Response to SCADA denial of service vulnerability

  CORE security reported a denial of service vulnerability in Wonderware's SCADA software. It is no wonder that the vendor took a long time to even acknowledge the vulnerability and their response indicated total incompetence: 2008-01-30: Initial contact email sent by to Wonderware setting the estimated publication date of the advisory to February 25th. 2008-01-30: Contact email re-sent to Wonderware asking for a software security contact for Wonderware InTouch. 2008-02-06: New email sent to Wonderware asking for a response and for a software security contact for Wonderware InTouch. 2008-02-28: Core makes direct phone calls to Wonderware headquarters informing of the previous emails and requesting acknowledgement of the notification of a security vulnerability. 2008-02-29: Vendor asks for a copy of the proof of concept code used to demonstrate the vulnerability. 2008-03-03: Core sends proof-of-concept code written in Python. 2008-03-05: Vendor asks for compiler tools required to use the PoC code. 2008-03-05: Core sends a link to http://www.python.org

Well, we all know about McAfee by now and all about the McAfee "Hacker Safe" certification program (yes, that is five separate links on the subject... it's truly been that bad), but the fact that they make a web application security product and then call cross-site scripting a non-issue is hilarious and completely negligent on their part.  I mean, it's the OWASP Top 10's number 1 vulnerability in web applications!  I guess when you "go in like super hackers", that doesn't include covering the industry accepted Top 10 for the particular space you play in.  The second example there is just hilarious.  In some ways, you feel sort of bad, but it's like when you see someone slip and fall... you can't help laughing just a bit. Most Overhyped Bug:

• Unspecified DNS cache poisoning vulnerability (CVE-2008-1447)

  Dan Kaminsky

  Dan Kaminsky is credited with discovering some unspecified vulnerabilities in DNS that allow for cache poisoning on a massive the-intarweb-tubes-will-burst-and-flood-your-basement scale. There has been massive media attention over this vulnerability and a large amount of backlash in the security community over the lack of details. When the full details of the vulnerability are revealed at BlackHat, the masses will decide whether the hype and secrecy were worth it. And, more importantly, the Pwnie Judges will vote on whether Dan gets the Pwnie for Most Overhyped Bug.

When the smoke clears on this one, I think people will see this as a major bug; however, the raw amount of media coverage it received could make even this potentially huge bug over-hyped.  I'm probably as guilty of that as any in media, but I am certainly excited to see this presentation at Black Hat. Most Epic Fail:

• Todd Davis, Lifelock CEO for posting his SSN on the web

  Todd Davis, CEO of a fraud-prevention company called Lifelock, had publicly posted his Social Security number (457-55-5462) to show his confidence in the services offered by his company. Of course, a clever marketing stunt does not mean that the protection is actually worth anything. As expected, it did not take long for Davis' identity to get stolen: somebody in Texas got $500 from an online payday loan company using Davis' SSN.

• Debian for shipping a backdoored OpenSSL library for two years (CVE-2008-0166)

  Debian Project

  On May 2nd, 2006 Kurt Roeckx commented out two very important lines of code in the OpenSSL psuedo-random number generator (PRNG). The reason? Valgrind and Purify complained about the use of uninitialized data in the function that seeded the PRNG. By commenting out these two lines of code, the randomness of all cryptographic keys generated by the Debian OpenSSL package was reduced to about 15 bits, or less than 32,768 unique keys in practice. By crippling the PRNG in the OpenSSL library, not only were all cryptographic keys generated on Debian-based systems suspect, but all cryptographic operations performed by these systems as well. Since the flaw was announced, Luciano has released a patch to Wireshark that decrypts SSL sessions (bypassing Perfect Forward Secrecy) that involve one of the weak keys. To this date, Kurt Roeckz still hosts vulnerable versions of the OpenSSL library in his personal directory on the Debian servers and has not been stripped of his Debian developer status.

Well, go figure, these two stories were also covered here.  I think we have a trend of reporting on interesting subjects!  The Lifelock deal is nearly as laughable as the McAfee HackerSafe fiasco, but you do have to feel a bit for Todd Davis.  I wonder if he truly believed he was protected from identity theft..  The OpenSSL flaw isn't necessarily laughable, but it is astounding how quickly HD Moore was able to throw together some great research and proof of concept work. There's a lot of other great nominees in a good deal more categories.  Go check out the site and have fun with it, that's what it is all about.  Thanks a ton to all the judges for the nomination! -Nate