Slashdot Mirror
2008 Pwnie Award Nominees Announced
ruphus13 writes "The Pwnie Awards, an 'annual awards ceremony celebrating and making fun of the achievements and failures of security researchers and the wider security community' announced their 2008 nominees. From their site, 'The final list of nominees for the nine Pwnie Award categories is finally published. We've received some really good submissions and it was not an easy task to narrow them down to five nominees per category, but we hope that we've done a good job. The next step for the Pwnie Awards judges will gather in an undisclosed location prior to the award ceremony and vote on the winners.'"
Nominees
We received 134 submissions for the Pwnie Awards, of which we've selected 37 nominees. Please select an award category from the list above to see the nominees.
The winners of the Pwnie Awards will be anounced on August 6, 2008 at a ceremony at the BlackHat USA conference in Las Vegas.
Pwnie for Best Server-Side Bug
Awarded to the person who discovered the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.
Windows IGMP kernel vulnerability (CVE-2007-0069)
Discovered by: Alex Wheeler and Ryan Smith
Not only did Alex Wheeler and Ryan Smith lay claim to a lucky CVE number, they also laid down the law with a remote kernel code execution vulnerability that was exploitable in the default firewall configuration on Windows XP, 2003 and Vista. Despite the SWI team's claim that its exploitation is "unlikely in real-world conditions", Kostya Kortchinsky was able to develop a highly reliable exploit for this vulnerability.
NetWare kernel DCERPC stack buffer overflow
Discovered by: Nicolas Pouvesle
At REcon 2008, Nicolas Pouvesle demonstrated some amazing NetWare-Fu with his kernel exploitation techniques and staged payloads for a stack overflow in the DCERPC stack in the NetWare kernel. Besides impressing everyone at the conference (not to mention all of the Quebecois women around Montreal), he also struck fear into the hearts of NetWare administrators everywhere. All three of them.
This vulnerability also shows how there can often be similar vulnerabilities in different implementations of the same functionality. And when a vulnerability in one implementation is found and fixed, similar bugs in other implementations may go unnoticed for a while. What does it take to make a vendor like Novell audit their DCERPC code for simple vulnerabilities? A widespread worm exploiting a stack overflow in the Microsoft DCERPC stack, crippling large portions of the Internet, and supposedly causing a blackout of the entire East Coast of the USA? Apparently not.
ClamAV Remote Command Execution (CVE-2007-4560)
Discovered by: Nikolaos Rangos
This vulnerability was a remote command injection in the recipient e-mail address of an e-mail message examined by the ClamAV open-source AntiVirus scanner. In a nod to 1993, ClamAV called sendmail with popen(), placing the recipient e-mail address right there in the command. With open source anti-virus products, Linus's Law clearly does hold: "Given enough eyeballs, all bugs shallow", even the ones that we knew about fifteen years ago.
SQL Server 200
As their own site seems down, some more info here
http://blogs.zdnet.com/security/?p=1519
"Kill 'em all and let Root sort 'em out"
Thanks for slashdotting my poor little server on a DSL line :-)
Try this: http://pwnie-awards.org.nyud.net/2008/awards.html
Alexander Sotirov
Pwnie Awards
I don't know if anyone else saw it but, Life Lock's very own CEO Todd Davis was nominated for a Pwnie for his brilliant idea to publicize his SSN.
Someone was able to use his info to get a $500 fast cash loan.
Not the most techie Pwnie but funny nonetheless.
/whisper/ Thanks for the candy!
We quickly moved the site to a server with real bandwidth. So slashdot away!
Cheers,
Dino Dai Zovi
Pwnie Awards
Pwnie for Most Overhyped Bug
Unspecified DNS cache poisoning vulnerability (CVE-2008-1447)
Dan Kaminsky
Dan Kaminsky is credited with discovering some unspecified vulnerabilities in DNS that allow for cache poisoning on a massive the-intarweb-tubes-will-burst-and-flood-your-basement scale. There has been massive media attention over this vulnerability and a large amount of backlash in the security community over the lack of details. When the full details of the vulnerability are revealed at BlackHat, the masses will decide whether the hype and secrecy were worth it. And, more importantly, the Pwnie Judges will vote on whether Dan gets the Pwnie for Most Overhyped Bug.
Lamest Vendor Reponse
Linus Torvalds
Linux kernel non-disclosure policy
Proving that open-source security has not improved much since it relied on the idea of getting enough eyeballs to make bugs shallow, Linus Torvalds demonstrated his incompetence at handling security isses by defending silent patching of security vulnerabilities in the Linux kernel:
So I personally consider security bugs to be just "normal bugs". I don't cover them up, but I also don't have any reason what-so-ever to think it's a good idea to track them and announce them as something special.
Adding insult to injury:
Btw, and you may not like this, since you are so focused on security, one reason I refuse to bother with the whole security circus is that I think it glorifies - and thus encourages - the wrong behavior.
It makes "heroes" out of security people, as if the people who don't just fix normal bugs aren't as important.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
The other place you want to check is the paper on security kernels. This describes how to reach A1 (CC7) without having to prove the entire OS.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)