Pwnie Awards 2012 Winners Announced

Pwnie Awards - Award for achievements or failures in the field of information security. The award ceremony is held in Los Angeles at the Blackhat USA conference.

The best client side vulnerability.

The prize in this nomination is awarded to those who have exploited or discovered the most complex and interesting vulnerability on the client side.

• Pwnium Exploit by Pinkie Pie.
  ')
  Pinkie Pie exploited 6 different vulnerabilities , thanks to which he was able to execute arbitrary code in a browser in Chrome.
  
  
• Pwnium Exploit by Sergey Glazunov
  
  Sergey Glazunov successfully exploited at least 14 different bugs in Chrome.
  
  
• MS11-087: Vulnerability in win32k.sys when parsing TrueType fonts. Posted by Duqu.
  
  This vulnerability in the kernel of the operating system allows to exploit any version of Windows using the TrueType font embedded in the website page or a file of some format, for example Word.
  
  
• Information leakage in Flash using BitmapData.histogram () ( CVE 2012-0769 ). Posted by: Fermin Serna
  
  This vulnerability simplifies bypassing the ASLR by disclosing information about system library loading addresses.
  
  
• IOS application signature bypass ( CVE 2011-3442 ). By: Charlie Miller
  
  Charlie Miller wrote an application with which he was able to download and execute unsigned code on iOS devices. For which he was excluded from the iOS Developer Program for 1 year.
  
  

Winners: Sergey Glazunov and Pinkie Pie

The best server side vulnerability.

The prize in this nomination is awarded to those who have exploited or discovered the most complex and interesting vulnerability on the server side.

• TNS Poison Attack ( CVE-2012-1675 ). Posted by Joxean Koret .
  
  This vulnerability allows an MITM attack on an Oracle database.
  
  
• ProFTPD Response Pool Use-after-Free ( CVE-2011-4130 ). Author: Wanted to remain anonymous.
  
  Binding allows you to remotely execute code on a ProFTPD server.
  
  
• MySQL authentication bypass ( CVE-2012-2122 ). Author: Sergey Golubchik
  
  A detailed description of the vulnerability can be found in the HD Moor blog.
  
  
• Vulnerability in WordPress Timthumb Plugin 'timthumb' Cache Directory ( CVE-2011-4106 ). Posted by: Mark Maunder
  
  This vulnerability allows you to download and run a PHP file in one of the directories owned by the plugin.
  
  

Winner: Sergey Golubchik

The best vulnerability leading to privilege escalation.

The prize in this nomination is awarded to those who have exploited or discovered the most complex and interesting vulnerability, leading to increased privileges.

• Vulnerability in XEN on Intel x64 platforms ( CVE-2012-0217 ). Posted by: Rafal Wojtczuk
  
  Vulnerability uses the SYSRET instruction to increase privileges . Some other operating systems are also affected by this vulnerability.
  
  
• The loss of integer discharge in HFS files on iOS devices ( CVE-2012-0642 ). Posted by: pod2g
  
  This vulnerability was used when writing jailbreaks for iOS 5.0 / 5.0.1
  
  
• MS11-098: Vulnerability in the Windows kernel-level exception handler ( CVE-2011-2018 ). Posted by: Mateusz "j00ru" Jurczyk
  
  This vulnerability affects all 32-bit versions of Windows from NT to Windows 8.
  
  
• VMware privilege escalation ( CVE-2012-1515 ). Posted by: Derek Soeder
  
  

Winner: Mateusz "j00ru" Jurczyk

The most innovative publication.

The prize in this nomination is awarded to the person who wrote an interesting and innovative publication.

• Packets in Packets: Orson Welles' In-Band Signaling Attacks for Modern Radios. Travis Goodspeed Author
• Smashing the Atom. By Tarjei Mandt
• Injecting Custom Payloads Into Signed Windows Executables. By Igor Glucksmann
• The Case for Semantics-Based Methods in Reverse Engineering. By Rolf Rolles
• Comprehensive Experimental Analyzes of Automotive Attack Surface. By Stephen Checkoway

Winner: Travis Goodspeed

The best song ever.

• What You Need METASPLOIT! By Marco Figueroa
• Out of Bounds by NYAN
• Click Me by The UW CSE Band
• Give It Some Salt by beep@bugslap.com
• Control by Dual Core

Winner: Dual Core

The most epic fail

The nomination involves companies or people who have committed epic files.

• Antivirus industry
• The history of the botnet herpesnet, whose creator was not very careful
• LinkedIn hashes leak
• F5 Network, left a private SSH-key in their devices

Winner: F5 Network

Epic 0wnage.

In the nomination of Epic 0wnage, hackers participate, whose actions led to the greatest damage, wide media coverage, or just funny hacks.

• MD5 is a collision in the Flame virus that allowed it to distribute itself over the network through Windows Update.
• Vulnerabilities of certification authorities.
• iOS jailbreaks. Authors: iPhone Dev Team and Chronic Dev Team

Winners: Authors Flame