Re: Things that slipped the pwnie net.

[Alexander Sotirov <alex () sotirov net>]

On Sat, Jul 24, 2010 at 02:58:40PM -0400, dave wrote:
> So my favourite bugs of the year that I didn't have time to write up for Pwnies:
>
> NGINX
> Finder: Chris Ries (http://www.kb.cert.org/vuls/id/180065)
> Exploit: Someone who probably doesn't want their name here.
> Reason:  I've not seen hash collisions used in many exploits, but in this one it was
> necessary to evade Execshield. In any case, REMOTE ANONYMOUS WEB SERVER bugs are
> always first on my list for "awesomeness". This year was no exception.

NGINX got a pwnie nomination by proxy, Dr. Raid's song 'Pwned' mentions the
NGINX bug in the intro:

  Dude, I saw you in fuckin' ZF0
  they got you and everyone in your fuckin' chan
  What?!?
  (You got 0wned)
  Dude, you got NGINX running on your fuckin' web server
  (That's how you got 0wned)
  Yeah dude, NGINX is good, what?
  They popped your box and took your damn key!
  Those pics of you and your sis, they base64 encoded that shit and dropped
  it in the zine
  They took you, your keys...they took *everything*

http://www.sophsec.com/pwned.mp3

> In "Crypto Bugs":
> The padding oracle attacks are clearly the winner when it comes to "annoying crypto
> things we have to learn about".

The padding oracle paper actually made it in, it's got a nomination in the research
category.

Alex
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave