Let's Dance in the Cache - Destabilizing Hash Table on Microsoft IIS - Orange Tsai

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
大會廣播
Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

  • 歡迎大家多填寫共筆!登入 hackmd 後即可填寫。

歡迎來到 HITCON PEACE 2022 共筆
共筆入口:https://hackmd.io/@HITCON/2022-note

從這開始

Intro

Hash table Used to Hold Data

What is Hash-Flooding Attack?

​​​​Build data link in same index causing the deficiency
​​​​O(n^2)

MS's Two Hash table

  • Tree hash table
    • The most standard code you have seen in your textbook
      • Linked list to solve collision resolution
      • Rehash if
      • DJB-Hash with LCGS
  • LKRHash Table
    • Invented 1997
    • customize their table - related functions
    • scalable HT on high-concurrency machine

Our research

Hash table implementation

  • Memory corruption bugs
  • Logic bugs
    • E.g CVE-2006-3017 -> unset() a wrong element.
  • Algorithmic Complexity Attach such as Hash-Flooding-Attack

Hash table Usage

  • have to cnfigure their own table-related funcions during initialization.
  • http.sys handle the connection from IIS
  • worker loading the Native IIS Modules and there are 4 main cache provider modules

request-level notify events

Global-level Notify-events

  • CahceCleanup
  • CacheOperation

Global-Level Cache

vuln

CVE 2022-22025

O(n)) -> Not linear, jittered -> Because rehash happened

  • Cach-Key Calculation
  • Hash Function

    • Equivalent substrings ->DJBX, easy to corrupt, 28c3

      • the same hash value from different input

    • Cache scavenger (scan every 30 seconds)

    • IIS List all sub domain as new record

    • use zero hash to create same cashe for all sub domains

    • 30 request/sec causing the iis suspend for respones.

CVE 2022-22040 - IIS Cache Poisoning Attack on IIS

  • IIS-Level Cahsing for:
    • Static Response
    • Dynamic Response
  • HTTPCacheModule
    • Use LKRHash

HTTP Cache Module

  • Output cahe in iis config

  • Cahce Poisoning while

    • Configure the cache based on the query string

  • Case

CVE 2022-30209 - IIS Poisoning By pass

  • by default the cahce windows security tokens for password-based athenthications such as basic auth or client-certicate
  • pfncalckehash
  • pfnequalhash
  • you can reuse another logged-in token with random password
    • 1/2(32)
    • Unlimited attempts during 15m
  • Winning lottery
    • incerase the odds of the collision
      • LKRHash use LCGs to scramble result
    • exploit without user interact
      • IIS "connect as" feature
      • auto-logon
    • defeat 15min
      • use the background process name/crondj which checking the system
        • Microsoft exchange
          • Active Monitoring (Service tokens would always be cached)

Recommendation

  • Use pseudo hash
  • the inconsistency
tags: HITCON2022,HITCON
Select a repo