Diving into Windows Remote Access Service for Pre-Auth Bugs

Explore the Windows Remote Access Service (RAS) for pre-auth bugs, including L2TP vulnerabilities and bugs in SSTP, PPTP, and IKE protocols, and learn how to find and exploit these issues using fuzzing and manual auditing techniques.

Key takeaways
  • The talk focuses on diving into Windows Remote Access Service (RAS) for pre-auth bugs.
  • Windows RAS protocol is L2TP and lack of multi-thread protection on a global timer array leads to bugs.
  • The speaker researchers multiple targets, including SSTP, PPTP, and IKE protocols.
  • Common bugs found include NDIS handle UAF, integer overflow, and resource leak.
  • The speaker introduces a simple fuzzer and explains how it can be used to find bugs in RAS protocols.
  • The fuzzer is able to find multiple crashes, including UAF and RCE bugs.
  • The speaker suggests developing a mutation-based fuzzer and using both fuzzing and manual auditing.
  • The talk highlights the importance of researching Windows RAS protocols, including SSTP, PPTP, and IKE.
  • The speaker talks about the importance of code quality and keeping an eye out for RACE conditions.
  • The talk also mentions the WIP bounty program and its attack scenario awards.

More talks

Production Go Service Essentials - Elliot Williams

Immoral Fiber: Unlocking & Discovering New Offensive Capabilities of Fibers

Linkers, Loaders and Shared Libraries in Windows, Linux, and C++ - Ofek Shilon - CppCon 2023

Blazor Hybrid - Build Hybrid Mobile, Desktop, and Web apps with .NET MAUI - Gerald Versluis

Close Encounters of the Advanced Persistent Kind: Leveraging Rootkits for Post-Exploitation

Magicdot: A Hacker's Magic Show of Disappearing Dots and Spaces

CertifiedDCOM: The Privilege Escalation Journey to Domain Admin with DCOM

Is .NET any good for Audio? - Mark Heath - NDC London 2024