6.

1 Introduction

6.2 Windows Update Fundamentals

6.3. Attacking WSUS

6.4. Leveraging Windows Update for Persistence

PT e treme - Caendra Inc. © 2017

PT e treme - Caendra Inc. © 2017
Windows updates are an important aspect of security in
every organization. For a Windows Update to be delivered at
an endpoint, the endpoint will first have to either check for
any new updates online or check with a local WSUS server
for the same matter.

PT e treme - Caendra Inc. © 2017

Even though Windows Update seems a bit boring to
examine, it has some potential for serious compromise. Let’s
see why that is…

PT e treme - Caendra Inc. © 2017

PT e treme - Caendra Inc. © 2017
Windows Update from a security perspective

1. Windows Update is a quite privileged service. Updates

can be downloaded and installed by non-privileged users.
So, there is potential for privilege escalation.

PT e treme - Caendra Inc. © 2017

Windows Update from a security perspective

2. Windows Update downloads and executes code over the

internet. This introduces quite some risk if not done
properly.

PT e treme - Caendra Inc. © 2017

Windows Update from a security perspective

3. 3rd party code is also distributed through Windows

Update, such as drivers.

PT e treme - Caendra Inc. © 2017

Windows Update from a security perspective

4. Any malicious code that manages to be delivered through

Windows Update will look trustworthy.

PT e treme - Caendra Inc. © 2017

Windows Update Overview
• Windows Update is a Windows service.

• wuauclt.exe is run periodically to check for updates.

• Registry keys exist that govern various details, such as the

update server’s location, the update frequency, and
privilege escalation of unprivileged users etc.
PT e treme - Caendra Inc. © 2017
Windows Update Overview

• The actual communication between clients and the Windows Update

server(s) takes place over HTTPS / SOAP XML web service

• A local database of updates is retained at

C:\Windows\SoftwareDistribution\DataStore\DataStore.edb

• Updates end up in C:\Windows\SoftwareDistribution\Download

• Windows Update keeps logs at C:\Windows\WindowsUpdate.log

PT e treme - Caendra Inc. © 2017
Update Types
• Critical Update • Tool
• Security Update • Feature Pack
• Definition Update • Update
• Update Rollup • Drivers
• Service Pack

PT e treme - Caendra Inc. © 2017

There is also WSUS (Windows Software Update Services).
WSUS can be seen as the enterprise variant of Windows
Update.

PT e treme - Caendra Inc. © 2017

WSUS Overview
• WSUS is actually the Windows Update software
responsible for the fetching, downloading and installing of
Windows updates but it is installed and run from an
organization’s own local server.

PT e treme - Caendra Inc. © 2017

WSUS Overview

• The underlying communication fundamentals are the

same as on Windows Update (SOAP XML web service
based)

• Updates are fetched from WSUS, not from a remote MS

server.

• Administrators have full control over what will be installed

PT e treme - Caendra Inc. © 2017
WSUS Security
• SSL is not enabled by default.

• During downloading updates, WSUS checks each update’s

digital signature and hash.

• All updates must be signed by MS.

PT e treme - Caendra Inc. © 2017

Identifying WSUS

With access to any computer on a domain, we can identify if

a WSUS server is being used for updates as well as its URL by
querying the registry as follows.

PT e treme - Caendra Inc. © 2017

Identifying WSUS

From the result of the query below, we will determine

whether the machine gets its updates from a WSUS server
(value = 1) or not (value = 0).
>> reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer

The query below will return the WSUS URL.

>> reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer

PT e treme - Caendra Inc. © 2017

PT e treme - Caendra Inc. © 2017
Attacking WSUS: Unencrypted Communications

In the case of WSUS being deployed without SSL encrypted

communications, we can perform a man-in-the-middle
attack and inject a fake update.

PT e treme - Caendra Inc. © 2017

Attacking WSUS: Unencrypted Communications

Τhe attack requirements are:

• We can only deliver binaries signed by MS, such as PsExec.

• We must perform ARP spoofing or tamper with the

system’s proxy settings (if possible).

PT e treme - Caendra Inc. © 2017

Attacking WSUS: Unencrypted Communications

The go to tool for performing man-in-the-middle attacks

against WSUS and injecting fake updates is WSUSpect Proxy.

For more information on how the attack works, please refer

to the following presentation: WSUSPect – Compromising
the Windows Enterprise via Windows Update.

PT e treme - Caendra Inc. © 2017

Attacking WSUS: Unencrypted Communications

As mentioned above, there are two attack paths we can

follow to perform a man-in-the-middle attack against WSUS
and inject a fake update, using WSUSpect Proxy.
1. Via straight ARP spoofing.

2. Via tampering with the target’s proxy settings (WPAD Injection).

PT e treme - Caendra Inc. © 2017

Attacking WSUS: Unencrypted Communications

1. Injecting a fake update via straight ARP spoofing

To perform a man-in-the-middle attack against WSUS and

inject a fake update via straight ARP spoofing, we can use the
wsuxploit tool as follows:
>> ./wsuxploit.sh TARGET_IP WSUS_IP WSUS_PORT /path/signed_by_MS_binary.exe

PT e treme - Caendra Inc. © 2017

Attacking WSUS: Unencrypted Communications

Wsuxploit relies on the arpspoof tool for executing the ARP

spoofing attack.

Note: If you are unable to perform ARP spoofing due to an

arpspoof issue, you can use bettercap, while you have the
wsuxploit.sh script running.

PT e treme - Caendra Inc. © 2017

Attacking WSUS: Unencrypted Communications

2. Injecting a fake update via WPAD injection

To perform a man-in-the-middle attack against WSUS and

inject a fake update via WPAD injection, we first need to
identify if automatic detection of the proxy is performed. We
can get this piece of information by querying the registry as
follows.

PT e treme - Caendra Inc. © 2017

Attacking WSUS: Unencrypted Communications

If the 5th byte of the result of the query below is even,

automatic detection of the proxy may be set in Internet
Explorer.
>> reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections"

PT e treme - Caendra Inc. © 2017

Attacking WSUS: Unencrypted Communications

Then, we can use a poisoner like Responder or Inveigh to

perform a WPAD injection attack. For the attack to be
successful, the injected configuration file must cause all traffic
to go through the WSUSpect proxy.

PT e treme - Caendra Inc. © 2017

Serving a Malicious
Update Through WSUS

PT e treme - Caendra Inc. © 2017

Attacking WSUS: Leveraging WSUS Interconnectivity

Organizations’ sensitive information are usually kept in a

separate network which is usually difficult to reach.

PT e treme - Caendra Inc. © 2017

Attacking WSUS: Leveraging WSUS Interconnectivity

WSUS is:
• A server that will most likely be interconnected to servers
containing sensitive information.

• A server that is usually within our reach and that may

communicate with another WSUS server, if a “Multiple
Internally Synchronized WSUS Servers” network
architecture exists.

PT e treme - Caendra Inc. © 2017

Attacking WSUS: Leveraging WSUS Interconnectivity

This means that in the event of a WSUS server getting

compromised, it could be used to either spread the
compromise or reach networks that were previously
unreachable.

PT e treme - Caendra Inc. © 2017

Attacking WSUS: Leveraging WSUS Interconnectivity

After you have compromised the domain’s WSUS server, you

can compromise a previously unreachable network by
injecting a fake update directly to the WSUS database.
WSUSpendu is a tool that achieves just that.

PT e treme - Caendra Inc. © 2017

Attacking WSUS: Leveraging WSUS Interconnectivity

Even if the previously unreachable network has its own

WSUS server, the WSUS database will eventually be synced
between all the domain’s WSUS servers.

PT e treme - Caendra Inc. © 2017

Stealthily Spreading
the Compromise
Through WSUS

PT e treme - Caendra Inc. © 2017

PT e treme - Caendra Inc. © 2017
It was recently brought to light by Hexacorn, that Windows
Update can also be misused for persistence.

PT e treme - Caendra Inc. © 2017

Using Windows Update for Persistence

Windows Update uses the following autostart key.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wind
owsUpdate\Setup\ServiceStartup

PT e treme - Caendra Inc. © 2017

Using Windows Update for Persistence

Let’s see the following example entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup\malware.dll
"RegistrationFlags"=dword:00000001
"CacheFile"="C:\\test\\malware.dll"
"TargetFile"="C:\\WINDOWS\\system32\\malware.dll"

This entry will cause C:\test\malware.dll to be loaded and

copied to C:\WINDOWS\system32\malware.dll

PT e treme - Caendra Inc. © 2017

Using Windows Update for Persistence

NOTE: The persistence technique above is tested and works

on Windows 7 but may not work on Windows 8 or 10. (A
different triggering method may be required).

PT e treme - Caendra Inc. © 2017

PT e treme - Caendra Inc. © 2017
 WSUSPect – Compromising the Windows Enterprise
WSUSpect Proxy via Windows Update

wsuxploit bettercap

Responder Inveigh

WSUSpendu Hexacorn

Powered by TCPDF (www.tcpdf.org)

PT e treme - Caendra Inc. © 2017