Diving into Windows Remote Access Service for Pre-Auth Bugs

Explore the Windows Remote Access Service (RAS) for pre-auth bugs, including L2TP vulnerabilities and bugs in SSTP, PPTP, and IKE protocols, and learn how to find and exploit these issues using fuzzing and manual auditing techniques.

Key takeaways
  • The talk focuses on diving into Windows Remote Access Service (RAS) for pre-auth bugs.
  • Windows RAS protocol is L2TP and lack of multi-thread protection on a global timer array leads to bugs.
  • The speaker researchers multiple targets, including SSTP, PPTP, and IKE protocols.
  • Common bugs found include NDIS handle UAF, integer overflow, and resource leak.
  • The speaker introduces a simple fuzzer and explains how it can be used to find bugs in RAS protocols.
  • The fuzzer is able to find multiple crashes, including UAF and RCE bugs.
  • The speaker suggests developing a mutation-based fuzzer and using both fuzzing and manual auditing.
  • The talk highlights the importance of researching Windows RAS protocols, including SSTP, PPTP, and IKE.
  • The speaker talks about the importance of code quality and keeping an eye out for RACE conditions.
  • The talk also mentions the WIP bounty program and its attack scenario awards.

More talks

DjangoCon Europe 2024 | KEYNOTE: When I Grow Up I Want to be a Database Administrator

Defender-Pretender: When Windows Defender Updates Become a Security Risk

Linkers, Loaders and Shared Libraries in Windows, Linux, and C++ - Ofek Shilon - CppCon 2023

Is .NET any good for Audio? - Mark Heath - NDC London 2024

Production Go Service Essentials - Elliot Williams

eBPF ELFs JMPing Through the Windows

Close Encounters of the Advanced Persistent Kind: Leveraging Rootkits for Post-Exploitation

Malware Classification With Machine Learning Enhanced by Windows Kernel Emulation