LAS VEGAS – Windows Server Update Services (WSUS) is your friend, if you run an enterprise IT shop, because it facilitates the download and distribution of security patches, service pack installations and hardware driver updates among others.

Two researchers this week at the Black Hat conference, however, point out that WSUS can be a significant weakness that can lead to the complete compromise of any server or desktop in an organization hooked up to the automated update service.

Paul Stone and Alex Chapman of Context Information Security in the U.K. took a long look at the WSUS attack surface and discovered that when a WSUS server contacts Microsoft for driver updates, it does so using XML SOAP web services, and those checks are not made over SSL. While updates are signed by Microsoft and updates must be verified by Microsoft, Stone and Chapman discovered that an attacker already in a man-in-the-middle position on a corporate network, for example, could with some work tamper with the unencrypted communication and inject a malicious homegrown update.

While turning on SSL during the initial WSUS configuration mitigates the situation, there are organizations that may skip this crucial—and last step—of the WSUS setup. An attacker who manages to get a malicious update into an organization via WSUS, could do anything from remove, downgrade or stop patches from being installed to getting full control over servers and desktops.

“It’s the worst-case scenario and it’s fairly bad,” Stone said. “And it’s not a vulnerability, it’s not something for Microsoft to fix.”

Stone and Chapman said they’ve had a dialogue with Microsoft about their research, which Microsoft acknowledged and said that it recommends enterprise admins turn on SSL. Doing so requires provisioning a SSL cert for machines doing the update, a process that cannot be automated.

“It’s not difficult and it’s something that most admins would know how to do,” Stone said. “Microsoft cannot do it by default. They could prevent it from working until a cert is put in, I suppose.”

Stone and Chapman said they decided to tackle drivers because most are written by third parties for Windows servers and clients, and made for an easier target because, despite the fact that updates are signed and verified by Microsoft, XML metadata can be updated so that it points to, downloads and executes a malicious update.

From Stone and Chapman’s paper:

Windows Update will verify that each update is signed by Microsoft. However, there is no specific ‘Windows Update’ signing certificate–any file that is signed by a Microsoft CA will be accepted. By injecting an update that uses the CommandLineInstallation update handler, an attacker can cause a client to run any Microsoft-signed executable, even one that was not intended to be used in Windows Update. Even better, the executable can be run with arbitrary arguments. Therefore we need to find a suitable executable that will allow arbitrary commands to be executed.

They turned to the Windows Sysinternals tool, specifically the remote command utility called PsExec which is signed by Microsoft.

“Essentially, we made a program which man-in-the-middles the WSUS traffic, and then created a fake update and the told machine to download PsExec and run it with whatever arguments to do something malicious,” Chapman said. “That’s the attack. The really fun thing is that all updates are installed as system whether you’re a low privileged user or an admin. So this is quite powerful.”

The only prerequisite for the attack is to already be on the network. From there, even an unauthenticated attacker can run the attack for any machine running WSUS without SSL to run arbitrary commands, Chapman said.

“The hard thing was just finding the signed Microsoft executables we could put down and run to do useful things,” Chapman said.

Categories: Black Hat, Vulnerabilities, Web Security

Comments (3)

    • Matt S.
      2

      Isn’t that like saying that your firewall should stop all threats from the outside? I’d think it would still be a good step of prevention, even if redundant.

  1. Dean Colpitts
    3

    I’m very surprised that there isn’t a link in this article to documentation to enable SSL (or check that it is enabled) should an organization skip that step…

Comments are closed.