深入 Windows HTTP：揭示 Windows HTTP 服务中隐藏的预认证漏洞（预录制）.pdf

1、#BHUSA BlackHatEventsDiving into Windows HTTP:Diving into Windows HTTP:Unveiling Hidden Unveiling Hidden PreauthPreauthVulnerabilities in Windows HTTP Vulnerabilities in Windows HTTP ServicesServicesQibo Shi(k0shl),VictorV,Wei Xiao,Zhiniang Peng#BHUSA BlackHatEventsAbout usQibo Shi(k0shl)|Senior Sec

2、urity Researcher of Cyber Kunlun LabVictorV|Senior Security Researcher of Cyber Kunlun LabWei Xiao|Senior Security Researcher of Cyber Kunlun LabZhiniang Peng|Associate Professor of Huazhong University of Science and Technology#BHUSA BlackHatEventsAgendaI.Background II.Overview of the Windows HTTP S

3、ervice Framework III.Exploring Logic Flaws Leading to Pre-auth DoS IV.Parsing and Handling Stages Leading to Pre-auth RCE V.Conclusion#BHUSA BlackHatEventsB Backgroundackground#BHUSA BlackHatEventsWhy HTTP Services?Most of them are unauthenticated.No user interaction required.No additional configura

4、tion needed.Few researchers have focused on it before.Many Windows Services rely on the Windows HTTP APIs(httpapi.dll).#BHUSA BlackHatEventsOverview of HTTP Services in WindowsHttpCreateServerSessionhttps:/ a new HTTP Server API session.This is the starting point for configuring a server-side HTTP s

5、tack.HttpAddUrl/HttpAddUrlToUrlGrouphttps:/ a URL to listen on.Binds a specific URL to the server session for handling incoming requests(e.g.,http:/+:80/example/).#BHUSA BlackHatEventsHow to find themHttpQueryServiceConfiguration-A Windows API used to query configuration details managed by HTTP.sys.

6、-Can retrieve:Registered URLs SSL certificate bindings IP listeners Request queue names Service SID bindings-Allows inspection of system-wide HTTP configuration from user-mode.#BHUSA BlackHatEventsHow to find them netsh http show servicestate#BHUSA BlackHatEventsOverview of the Windows HTTP Overview