Diving into Windows HTTP: Unveiling Hidden Preauth Vulnerabilities in Windows HTTP Services

Diving into Windows HTTP: Unveiling Hidden Preauth Vulnerabilities in Windows HTTP Services

MediaVideo
Yanac

Diving into Windows HTTP: Unveiling Hidden Preauth Vulnerabilities in Windows HTTP Services (PRE-RECORDED)

The Windows operating system heavily relies on HTTP services. Numerous Windows HTTP services such as IIS, ADFS, ADCS, Hyper-V, Kerberos, WSUS, Windows Storage, SSDP, UPnP, WinRM, RDP, BranchCache and MSMQ are widely deployed and play a crucial role in supporting various core functions within the Windows ecosystem. Although the security of Windows HTTP services is of utmost importance, almost no related security research has been made public in the past. Based on this gap, we decided to dive into the security of Windows HTTP Services and discovered many new things!

After conducting an in-depth analysis of the internal mechanisms of Windows HTTP components, we discovered many novel vulnerability patterns in Windows HTTP services over the past year. These include not only classic memory corruption bugs but also a large number of logical bugs caused by the incorrect usage of Windows HTTP APIs by developers. Our research has identified more than 100 critical pre-auth vulnerabilities in almost all key services, including IIS, ADFS, ADCS, Hyper-V, Kerberos, WSUS, Windows Storage, SSDP, UPnP, WinRM, RDP, BranchCache and MSMQ. These vulnerabilities cover a wide range of issues, including pre-auth remote code execution (RCE), information leakage, and denial-of-service (DoS). Importantly, exploiting these vulnerabilities requires no credentials, no additional configurations, and no user interaction (0-click), which means that any Windows system running them is at risk.

In this presentation, we will discuss the different architectures of Windows HTTP services and share multiple previously undisclosed vulnerability cases and attacks. We will also summarize these new vulnerability patterns and provide a comprehensive interpretation of the security threats within the realm of Windows HTTP services.

By:
Qibo Shi | Senior Security Researcher, Cyber Kunlun Lab
Victor V | Senior Security Researcher, Cyber Kunlun Lab
Wei Xiao | Senior Security Researcher, Cyber Kunlun Lab
Zhiniang Peng | Associate Professor, Huazhong University of Science and Technology

Presentation Materials Available at:
https://blackhat.com/us-25/briefings/schedule/?#diving-into-windows-http-unveiling-hidden-preauth-vulnerabilities-in-windows-http-services-pre-recorded-44873Black HatRead More