ProHoster > Blog > internet news > Pwnie Awards 2019: Most Significant Security Vulnerabilities and Failures

Pwnie Awards 2019: Most Significant Security Vulnerabilities and Failures

At the Black Hat USA conference in Las Vegas Took place award ceremony Pwnie Awards 2019, which highlights the most significant vulnerabilities and absurd failures in the field of computer security. The Pwnie Awards is considered the equivalent of the Oscars and the Golden Raspberry in computer security and has been held annually since 2007.

All Winners и nominations:

  • Best Server Bug. Awarded for identifying and exploiting the most technically complex and interesting bug in a network service. The winners are researchers identified vulnerability in Pulse Secure VPN provider, whose VPN service is used by Twitter, Uber, Microsoft, sla, SpaceX, Akamai, Intel, IBM, VMware, US Navy, US Department of Homeland Security (DHS) and probably half of the companies from the Fortune 500 list. Researchers have found a backdoor that allows an unauthenticated attacker to change the password of any user. Demonstrated the ability to exploit the problem to gain root access to a VPN server that only has an HTTPS port open;

    Of the applicants who did not receive the award, it can be noted:

    • Operated at the stage before authentication vulnerability in the Jenkins continuous integration system, which allows you to execute code on the server. The vulnerability is actively used by bots to organize cryptocurrency mining on servers;
    • Critical vulnerability in the Exim mail server, which allows you to execute code on the server with root rights;
    • Vulnerabilities in Xiongmai XMeye P2P IP cameras, allowing you to take control of the device. The cameras were supplied with an engineering password and did not use digital signature verification when updating the firmware;
    • Critical vulnerability in the implementation of the RDP protocol in Windows, which allows you to remotely execute your code;
    • Vulnerability in WordPress related to uploading PHP code disguised as an image. The problem allows you to execute arbitrary code on the server, having the privileges of the author of publications (Author) on the site;
  • Best bug in client software. Easily operated vulnerability in the Apple FaceTime group call system, which allows the initiator of a group call to initiate a forced reception of a call on the side of the called party (for example, for listening and peeping).

    Also nominated for the award:

    • Vulnerability in WhatsApp, which allows you to achieve the execution of your code by sending a specially designed voice call;
    • Vulnerability in the Skia graphics library used in the Chrome browser, which can lead to memory corruption due to floating point errors during some geometric transformations;
  • Best Privilege Escalation Vulnerability. Victory awarded for revealing vulnerabilities in the iOS kernel, which can be exploited through ipc_voucher, accessible through the Safari browser.

    Also nominated for the award:

    • Vulnerability in Windows, which allows you to take full control of the system through the manipulation of the CreateWindowEx function (win32k.sys). The problem was identified during the analysis of malware that exploited the vulnerability before it was fixed;
    • Vulnerability in runc and LXC, affecting Docker and other container isolation systems, allowing an isolated container controlled by an attacker to change the runc executable file and gain root privileges on the host system side;
    • Vulnerability in iOS (CFPrefsDaemon), which allows you to bypass isolation modes and execute code as root;
    • Vulnerability in the edition of the Linux TCP stack used in Android, allowing the local user to elevate their privileges on the device;
    • Vulnerabilities in systemd-journald, allowing you to get root privileges;
    • Vulnerability in the tmpreaper utility for cleaning / tmp, which allows you to save your file in any part of the file system;
  • The best cryptographic attack. Awarded for identifying the most significant flaws in real systems, protocols, and encryption algorithms. Prize awarded for identifying vulnerabilities in WPA3 wireless security technology and EAP-pwd, which allow you to recreate the connection password and gain access to the wireless network without knowing the password.

    Other nominees for the award were:

    • Method attacks on PGP and S/MIME encryption in email clients;
    • Application a cold boot method for accessing the contents of Bitlocker encrypted partitions;
    • Vulnerability in OpenSSL, which allows you to separate the situations of receiving incorrect incremental padding and incorrect MAC. The problem is caused by incorrect handling of null bytes in padding oracle;
    • Problems with identity cards used in Germany using SAML;
    • Problem with the entropy of random numbers in the implementation of support for U2F tokens in ChromeOS;
    • Vulnerability in Monocypher, due to which EdDSA null signatures were recognized as correct.
  • Most innovative research. The prize was awarded to the developer of technology Vectorized Emulation, which uses AVX-512 vector instructions to emulate program execution, which allows to achieve a significant increase in the speed of fuzzing testing (up to 40-120 billion instructions per second). The technique allows each CPU core to run 8 64-bit or 16 32-bit virtual machines in parallel with instructions for fuzzing application testing.

    The following were nominated for the award:

    • Vulnerability in Power Query technology from MS Excel, which allows organizing code execution and bypassing application isolation methods when opening specially designed spreadsheets;
    • Method deceiving the autopilot of Tesla cars to provoke a departure into the oncoming lane;
    • Work ASICS reverse engineering of the Siemens S7-1200 chip;
    • SonarSnoop - a technique for tracking the movement of fingers to determine the unlock code of the phone, based on the principle of sonar operation - the upper and lower speakers of the smartphone generate inaudible vibrations, and the built-in microphones catch them to analyze the presence of vibrations reflected from the hand;
    • Development in the NSA reverse engineering toolkit Ghidra;
    • SAFE - a technique for determining the use of code of the same functions in several executable files based on the analysis of binary assemblies;
    • Creation a method to bypass the Intel Boot Guard mechanism to boot modified UEFI firmware without digital signature verification.
  • The most lamer reaction of the vendor (Lamest Vendor Response). Nomination for the most inappropriate response to a vulnerability report in one's own product. The winners are the developers of the BitFi crypto-wallet, screaming about the ultra-security of their product, which in fact turned out to be imaginary, harassing researchers who identify vulnerabilities and not paying the promised bonuses for identifying problems;

    Among the contenders for the award were also considered:

    • A security researcher accused the director of Atrient of attacking in order to force the removal of a vulnerability report, but the director denies the incident and surveillance cameras did not record this attack;
    • Zoom delayed fixing a critical vulnerabilities on their conferencing system and only fixed the problem after public disclosure. The vulnerability allowed an external attacker to obtain data from the webcams of macOS users when opening a specially designed page in the browser (zoom launched an http server on the client side that accepts commands from a local application).
    • Failure over 10 years to fix problem with OpenPGP cryptographic key servers, arguing that the code is written in a specific OCaml language and remains without a maintainer.

    Most hyped vulnerability announcement. Awarded for the most pathos and large-scale coverage of the problem on the Internet and in the media, especially if, as a result, the vulnerability turns out to be unexploitable in practice. The award was given to Bloomberg for statement about the detection of spy chips in Super Micro boards, which was not confirmed, and the source indicated completely other information.

    The nomination mentions:

    • Vulnerability in libssh that affected single server applications (libssh is almost never used for servers), but was presented by the NCC Group as a vulnerability that could attack any OpenSSH server.
    • Attack using DICOM images. The bottom line is that you can prepare an executable file for Windows that will look like a valid DICOM image. This file can be downloaded to a medical device and executed.
    • Vulnerability Thrangrycat, which allows you to bypass the secure boot mechanism on Cisco devices. The vulnerability is categorized as a bloated problem because it requires root access to attack, but if the attacker was already able to gain root access, then what kind of security can we talk about. The vulnerability simultaneously won in the category of the most underestimated problems, as it allows you to introduce a permanent backdoor in Flash;
  • The biggest failure (Most Epic FAIL). The victory was awarded to Bloomberg for a number of sensational articles with high-profile headlines but invented facts, withholding sources, sliding into conspiracy theories, using terms such as “cyber weapons”, and unacceptable generalizations. Other nominees include:
    • Shadowhammer attack on Asus firmware update service;
    • Hacking a BitFi storage advertised as "unbreakable";
    • Leaks of personal data and tokens Facebook access.

Source: opennet.ru

Add a comment