No announcement yet.

Let's Dance in the Cache - Destabilizing Hash Table on Microsoft IIS

  • Filter
  • Time
  • Show
Clear All
new posts

  • Let's Dance in the Cache - Destabilizing Hash Table on Microsoft IIS

    Let's Dance in the Cache - Destabilizing Hash Table on Microsoft IIS

    Orange Tsai, Principal Security Researcher of DEVCORE

    Presentation Title: Let's Meet in the Cache - Destabilizing the Hash Table on Microsoft IIS
    Length of presentation: 45 minutes
    Demo, Tool, Exploit

    Hash Table, as the most fundamental Data Structure in Computer Science, is extensively applied in Software Architecture to store data in an associative manner. However, its architecture makes it prone to Collision Attacks. To deal with this problem, 25 years ago, Microsoft designed its own Dynamic Hashing algorithm and applied it everywhere in IIS, the Web Server from Microsoft, to serve various data from HTTP Stack. As Hash Table is everywhere, isn't the design from Microsoft worth scrutinizing?

    We dive into IIS internals through months of Reverse-Engineering efforts to examine both the Hash Table implementation and the use of Hash Table algorithms. Several types of attacks are proposed and uncovered in our research, including (1) A specially designed Zero-Hash Flooding Attack against Microsoft's self-implemented algorithm. (2) A Cache Poisoning Attack based on the inconsistency between Hash-Keys. (3) An unusual Authentication Bypass based on a hash collision.

    By understanding this talk, the audience won't be surprised why we can destabilize the Hash Table easily. The audience will also learn how we explore the IIS internals and will be surprised by our results. These results could not only make a default installed IIS Server hang with 100% CPU but also modify arbitrary HTTP responses through crafted HTTP request. Moreover, we'll demonstrate how we bypass the authentication requirement with a single, crafted password by colliding the identity cache!

    Cheng-Da Tsai, aka Orange Tsai, is the principal security researcher of DEVCORE and the core member of CHROOT security group in Taiwan. He is also the champion and got the "Master of Pwn" title in Pwn2Own 2021. In addition, Orange has spoken at several top conferences such as Black Hat USA/ASIA, DEF CON, HITCON, HITB GSEC/AMS, CODE BLUE, POC, and WooYun!

    Currently, Orange is a 0day researcher focusing on web/application security. His research got not only the Pwnie Awards winner for "Best Server-Side Bug" of 2019/2021 but also 1st place in "Top 10 Web Hacking Techniques" of 2017/2018. Orange also enjoys bug bounties in his free time. He is enthusiastic about the RCE bugs and uncovered RCEs in numerous vendors such as Twitter, Facebook, Uber, Apple, GitHub, Amazon, etc. You can find him on Twitter @orange_8361 and blog

    #### REFERENCES:

    * 28C3 - Efficient Denial of Service Attacks on Web Application Platforms by Alexander "alech" Klink and Julian "zeri" Wälde
    * 29C3 - Hash-flooding DoS reloaded: attacks and defenses by Jean-Philippe Aumasson and Daniel J. Bernstein
    * Black Hat USA 2018- Practical Web Cache Poisoning: Redefining 'Unexploitable' by James Kettle
    * Black Hat USA 2020 - Web Cache Entanglement: Novel Pathways to Poisoning by James Kettle

    Last edited by number6; June 8, 2022, 18:20.