A Journey into Windows Security Support Provider Interface
Yuki Chen (@guhe120) | Day 1, 5:35pm - 6:20pm
Abstract
Authentication plays an important role in system security. On Windows system, the Security Support Provider Interface (SSPI) provides a universal, industry-standard interface for secure distributed applications. Thanks to SSPI, most of the time doing authentication on a Windows system is as simple as just calling InitializeSecurityContext/AcceptSecurityContext. But besides simply using these APIs, have you ever wondered what is happening under the hood and do you really understand and use it correctly?
In this presentation, we will answer the above question by looking into the low-level architecture and implementation of Windows SSPI. We will also share some bugs we discovered in different Windows security providers such as wdigest/SSL/NTLM/Negotiate which can affect various products like LDAP/IIS Server and lead to different attack scenarios including pre/post auth RCE, domain/local EoP.
The Speaker(s)
Yuki Chen (@guhe120)
Yuki Chen (@guhe120) is an independent security researcher. His current research areas include vulnreability hunting/exploiting/detecting. He has more than 15 years of experience in both offensive and defensive security and published much research in industry. Yuki have found hunderands of bugs in the past years and have been ranked #1 on the MSRC most valuable security researcher list in year 2019/2021/2022/2023/2024. He is also the winner in multiple targets in pwn2own 2015/2016/2017 and Tianfu Cup 2018/2019. He has been rewarded 2 pwnie awards for best RCE and epic achievement.