1、#BHAS BlackHatEventsOne Bug to Rule Them All:Stably Exploiting a Preauth RCE Vulnerability on Windows Server 2025Speakers:Dr.Zhiniang Peng HUST&Cyber-KunlunZishan LinVer#BHAS BlackHatEventsWhoAmIZhiniang Peng edwardzpengAssociate Professor HUSTPart-time Researcher Cyber-KunlunPhD in Cryptography,Pub
2、lished many research in both Industry&AcademiaMore about me:https:/ University of Science and TechnologyCyber-Kunlun:World-Leading Security Research Lab in China#BHAS BlackHatEventsWhoAmIZishan Lin Security ResearcherFocus on Windows Security for years#BHAS BlackHatEventsWhoAmIVer Ver0759Security Re
3、searcherFocus on Windows/IOT/BlockChain Security for three yearsMSRC MVR#BHAS BlackHatEventsAgendaIntroductionRemote Desktop License RPC Service InternalsCVE-2024-38077Exploitation OverviewPlaying with the LFHSummary#BHAS BlackHatEventsIntroduction#BHAS BlackHatEventsPreauth bugs&exploitations The h
4、istory of Windows Preauth RCE Memory Corruption ExploitationCVE-2014-6321 WinShockCVE-2017-0144 Eternal BlueCVE-2019-0708 BluekeepCVE-2020-0796 SMBGhost Every year there are numerous preauth memory corruption vulnerabilities in Windows,but only a few ofthese are really have exploitation.Part of memo
5、ry corruption vulnerabilities in 2024#BHAS BlackHatEventsMitigation in Windows Mitigation in modern WindowsControl Flow Guard(CFG)GuardStack(GS)/CanaryArbitrary Code Guard(ACG)Control-Flow Enforcement Technology(CET)Address Space Layout Randomization(ASLR)CVE-2024-38077 MadlicenseWindows Remote Desk
6、top License Server Preauth RCE One bug to Rule Them All#BHAS BlackHatEventsRemote Desktop Service Remote Desktop Service is a core service on WindowsPersonal Remote AccessServer ManagementRemote Desktop Rental Services Many historical security vulnerabilitiesFrom CVE-2012-0002 to CVE-2024-43599No re