2008 Pwnie Award nominees announced
The final list of nominees for the nine Pwnie Award categories is finally published. We've received some really good submissions and it was not an easy task to narrow them down to five nominees per category, but we hope that we've done a good job. The next step for the Pwnie Awards judges will gather in an undisclosed location prior to the award ceremony and vote on the winners.I'm especially excited about this, since Rob Carter, Billy Rios, and I were nominated for the Best Client-Side Bug for our URL and protocol handling flaws research; which just seems to never end by the way (and keeps continuing... see a future talk we will put on at some Black Hat down the road). We're up against some stiff competition though, including my fellow Ernst & Young Advanced Security Center co-worker Nitesh Dhanjani, which makes it a great year for EY with three current (myself, Rob Carter, and Nitesh Dhanjani) and one former member (Billy Rios) involved in the pwnies. For more, read-on! Best Client-Side Bug:
Multiple URL protocol handling flaws
Discovered by: Nate McFeters, Rob Carter, and Billy Rios
Not just a few vulnerabilities, but an entire attack vector, URI protocol handler flaws pitted web browser and application vendors against each other as one web browser was exploitable through another and each vendor blamed the other for the vulnerability.Slirpie
Discovered by: Dan Kaminsky, RSnake, Dan Boneh
Presented at Toorcon 2007, this attack used DNS Rebinding to bypass the Same Origin Policy and build a tunnel into a remote network using only a lured web browser (and its associated grab bag of Web 2.0 technologies like Flash, Java, and Javascript). This vulnerability can best be described as a design bug in the Web 2.0 and we're all waiting for it to be fixed in Web 2.0 Service Pack 1.Safari carpet bomb (CVE-2008-2540)
Discovered by: Laurent Gaffié, Nitesh Dhanjani and Aviv Raff
Nitesh Dhanjani discovered a design error in Safari that allows an attacker to automatically download files to the user's configured download directory (~/Downloads on Leopard, the desktop on previous versions of OS X and Windows). This can be used for a variety of attacks. First, you can litter the user's desktop with files or drop malware onto their desktop, hoping that the user will click run it. Or you can just let Internet Explorer load a planted DLL automatically. This vulnerability also has the dubious distinction of bringing the term "blended threat" into the security vernacular.Adobe Flash DefineSceneAndFrameLabelData vulnerability (CVE-2007-0071)
Discovered by: Mark Dowd and wushi
This vulnerability requires no introduction. Independently discovered by both Mark Dowd and wushi of team509, this vulnerability showed how what appeared at first to just be a NULL-pointer dereference could be manipulated into yielding reliable cross-version remote code execution . For an excellent summary of the vulnerability and discussion on proper handling of malloc() return values, see the Matasano blog . This vulnerability was also used in a mass SQL-injection assisted malware attack in late May 2008 that resulted in much security industry drama and at least a few stolen World Of Warcraft passwords. The fact that Adobe took 15 months to patch this vulnerability suggests that they believed it to be a non-exploitable NULL-pointer dereference. Oops.QuickTime (CVE-2008-*)
Discovered by: everybody and their mom
No, this nomination is not for a vulnerability in Apple QuickTime, it is for QuickTime itself as a client-side vulnerability. A quick search of CVE entries yields 62 vulnerabilities in Apple QuickTime just in the last two years. The discoverer of the next QuickTime bug wins a free trip to the salad bar. Who would have thought that putting code originally written in the early nineties into a web browser would be a bad idea?
Application-Specific Attacks: Leveraging the ActionScript VM
Mark Dowd
Mark Dowd exploited a NULL pointer dereference in the Flash runtime to desynchronize the ActionScript bytecode verifier, inject malicious bytecode instructions and finally execute x86 shellcode. The combination of techniques used by Dowd is beyond anything seen before. The details of the exploit are published in a 25-page paper and explained for non-exploit writers in a Matasano blog post.
XSS of the entire web for users of Earthlink, Comcast and Verizon
Discovered by: Dan Kaminsky
Dan Kaminsky discovered that many ISPs that hijack non-existent domains to serve ads are vulnerable to cross-site scripting attacks, allowing an attacker to compromise any website on the Internet. Dan gets bonus points for using a Rickroll to demonstrate the bug.SQL injection in more than 500,000 web sites
Discovered by: Rain Forest Puppy back in 1998
SQL injection attacks are not new, but this year we saw an upsurge in the number of automated attacks against vulnerable websites. Reportedly more than half a million websites were compromised.Windows IGMP kernel vulnerability (CVE-2007-0069)
Discovered by: Alex Wheeler and Ryan Smith
Not only did Alex Wheeler and Ryan Smith lay claim to a lucky CVE number, they also laid down the law with a remote kernel code execution vulnerability that was exploitable in the default firewall configuration on Windows XP, 2003 and Vista. Despite the SWI team's claim that its exploitation is "unlikely in real-world conditions", Kostya Kortchinsky was able to develop a highly reliable exploit for this vulnerability.
SQL Server 2005 (CVE-2007-4560)
Discovered by: Brett Moore
Just in time for the Pwnie nominations to close, Brett Moore and Microsoft bring you the first security bulletin affecting SQL Server 2005. This vulnerability, exposed to an unprivileged SQL user, occurs when SQL Server attempts to restore a corrupt database backup. The database backup may be hosted on a remote SMB or WebDAV server, making this a remote code execution exploit that can also be triggered through a SQL injection vulnerability. The best part is from Insomnia Security's advisory:SQL server appears to use its own dynamic heap management, which makes exploitation different from a standard heap overflow. Using a custom heap management routines means that the standard heap protections mechanisms are not in place.
If this vulnerability wins a Pwnie, we will ask David Litchfield to come up on stage and present it to Brett.
McAfee's "Hacker Safe" certification program
XSS vulnerabilities in multiple sites certified as "Hacker Safe"
More than 60 web sites certified to be "Hacker Safe" by McAfee's ScanAlert service were reported as vulnerable to XSS attacks, including the ScanAlert web site itself. Joseph Pierini, director of enterprise services for the "Hacker Safe" program, maintains that XSS vulnerabilities can't be used to hack a server:Cross-site scripting can't be used to hack a server. You may be able to do other things with it. You may be able to do things that affect the end-user or the client. But the customer data protected with the server, in the database, isn't going to be compromised by a cross-site scripting attack, not directly.
Wonderware
Response to SCADA denial of service vulnerability
CORE security reported a denial of service vulnerability in Wonderware's SCADA software. It is no wonder that the vendor took a long time to even acknowledge the vulnerability and their response indicated total incompetence: 2008-01-30: Initial contact email sent by to Wonderware setting the estimated publication date of the advisory to February 25th. 2008-01-30: Contact email re-sent to Wonderware asking for a software security contact for Wonderware InTouch. 2008-02-06: New email sent to Wonderware asking for a response and for a software security contact for Wonderware InTouch. 2008-02-28: Core makes direct phone calls to Wonderware headquarters informing of the previous emails and requesting acknowledgement of the notification of a security vulnerability. 2008-02-29: Vendor asks for a copy of the proof of concept code used to demonstrate the vulnerability. 2008-03-03: Core sends proof-of-concept code written in Python. 2008-03-05: Vendor asks for compiler tools required to use the PoC code. 2008-03-05: Core sends a link to http://www.python.org
Unspecified DNS cache poisoning vulnerability (CVE-2008-1447)
Dan Kaminsky
Dan Kaminsky is credited with discovering some unspecified vulnerabilities in DNS that allow for cache poisoning on a massive the-intarweb-tubes-will-burst-and-flood-your-basement scale. There has been massive media attention over this vulnerability and a large amount of backlash in the security community over the lack of details. When the full details of the vulnerability are revealed at BlackHat, the masses will decide whether the hype and secrecy were worth it. And, more importantly, the Pwnie Judges will vote on whether Dan gets the Pwnie for Most Overhyped Bug.
Todd Davis, Lifelock CEO for posting his SSN on the web
Todd Davis, CEO of a fraud-prevention company called Lifelock, had publicly posted his Social Security number (457-55-5462) to show his confidence in the services offered by his company. Of course, a clever marketing stunt does not mean that the protection is actually worth anything. As expected, it did not take long for Davis' identity to get stolen: somebody in Texas got $500 from an online payday loan company using Davis' SSN.Debian for shipping a backdoored OpenSSL library for two years (CVE-2008-0166)
Debian Project
On May 2nd, 2006 Kurt Roeckx commented out two very important lines of code in the OpenSSL psuedo-random number generator (PRNG). The reason? Valgrind and Purify complained about the use of uninitialized data in the function that seeded the PRNG. By commenting out these two lines of code, the randomness of all cryptographic keys generated by the Debian OpenSSL package was reduced to about 15 bits, or less than 32,768 unique keys in practice. By crippling the PRNG in the OpenSSL library, not only were all cryptographic keys generated on Debian-based systems suspect, but all cryptographic operations performed by these systems as well. Since the flaw was announced, Luciano has released a patch to Wireshark that decrypts SSL sessions (bypassing Perfect Forward Secrecy) that involve one of the weak keys. To this date, Kurt Roeckz still hosts vulnerable versions of the OpenSSL library in his personal directory on the Debian servers and has not been stripped of his Debian developer status.