Abstract

Authentication plays an important role in system security. On Windows system, the Security Support Provider Interface (SSPI) provides a universal, industry-standard interface for secure distributed applications. Thanks to SSPI, most of the time doing authentication on a Windows system is as simple as just calling InitializeSecurityContext/AcceptSecurityContext. But besides simply using these APIs, have you ever wondered what is happening under the hood and do you really understand and use it correctly?

In this presentation, we will answer the above question by looking into the low-level architecture and implementation of Windows SSPI. We will also share some bugs we discovered in different Windows security providers such as wdigest/SSL/NTLM/Negotiate which can affect various products like LDAP/IIS Server and lead to different attack scenarios including pre/post auth RCE, domain/local EoP.