Let's Dance in the Cache - Destabilizing Hash Table on Microsoft IIS

中文In-PersonVulnerability AnalysisCyberwar🍊

Hash Table, as the most fundamental Data Structure in Computer Science, is extensively applied in Software Architecture to store data in an associative manner. However, its architecture makes it prone to Collision Attacks. To deal with this problem, 25 years ago, Microsoft designed its own Dynamic Hashing algorithm and applied it everywhere in IIS, the Web Server from Microsoft, to serve various data from HTTP Stack. As Hash Table is everywhere, isn’t the design from Microsoft worth scrutinizing?

We dive into IIS internals through months of Reverse-Engineering efforts to examine both the Hash Table implementation and the use of Hash Table algorithms. Several types of attacks are proposed and uncovered in our research, including (1) A specially designed Zero-Hash Flooding Attack against Microsoft’s self-implemented algorithm. (2) A Cache Poisoning Attack based on the inconsistency between Hash-Keys. (3) An unusual Authentication Bypass based on a hash collision.

By understanding this talk, the audience won’t be surprised why we can destabilize the Hash Table easily. The audience will also learn how we explore the IIS internals and will be surprised by our results. These results could not only make a default installed IIS Server hang with 100% CPU but also modify arbitrary HTTP responses through crafted HTTP request. Moreover, we’ll demonstrate how we bypass the authentication requirement with a single, crafted password by colliding the identity cache!

Orange Tsai

Orange Tsai

Cheng-Da Tsai, aka Orange Tsai, is the principal security researcher of DEVCORE and the core member of CHROOT security group in Taiwan. He is also the champion and got the "Master of Pwn" title in Pwn2Own 2021. In addition, Orange has spoken at several top conferences such as Black Hat USA/ASIA, DEF CON, HITCON, HITB GSEC/AMS, CODE BLUE, POC, Hack.lu and WooYun! Currently, Orange is a 0day researcher focusing on web/application security. His research got not only the Pwnie Awards winner for "Best Server-Side Bug" of 2019/2021 but also 1st place in "Top 10 Web Hacking Techniques" of 2017/2018. Orange also enjoys bug bounties in his free time. He is enthusiastic about the RCE bugs and uncovered RCEs in numerous vendors such as Microsoft, Apple, Facebook, Twitter, Uber, GitHub, Amazon, etc. You can find him on Twitter @orange_8361 and blog http://blog.orange.tw/

English interpretations will be provided for all sessions not presented in English.

Agenda Table

Use event local timezone
TimeZone

00:30

  • Attendant Registration Time

01:20

  • Welcome Speech & Event Introduce

02:10

03:00

  • Break

03:15

04:05

  • Lunch

05:00

05:45

  • Break

06:00

06:45

  • Tea Time

07:00

07:25

08:10

  • Break

08:25

09:10

  • Closing

09:25